Populate JAAS Subject From Client Configuration Properties

The Populate JAAS Subject From Client provider enables administrators to add client values as named credentials, name principals, and role principals to the authenticated subject.

Description

This provider adds the configured values from the shared-context client HTTP map as the specified NamedCredentials to the authenticated subject. Adding client values as named credentials allows them to be used for single sign-on. When authenticating the user using a token from the client session, if the corresponding authentication provider is unable to retrieve the user name from the token and add it as a principal for use in impersonation checking, the administrator can configure this provider to add the appropriate header value from the client session as a principal to the authenticated subject.

Note: Rogue applications could intentionally insert HTTP headers with arbitrary values to obtain principals, roles, or credentials that they otherwise would not receive using the other login modules. Use this provider in an environment where you know the network edge behavior and have ensured that applications cannot bypass or override that environment.

This provider does not authenticate the subject but adds the NamedCredential if the user is successfully authenticated by other providers. It always returns “false” from the login method and should always be configured with the control flag set to “optional” to avoid affecting the outcome of authentication process.

Properties

Populate JAAS Subject From Client Properties
Configuration Option Default Value Description
Control Flag Optional
Indicates how the security provider is used in the login sequence.
  • Optional – the authentication provider is not required, and authentication proceeds down the authentication provider list, regardless of success or failure.
  • Sufficient – the authentication provider is not required, and subsequent behavior depends on whether authentication succeeds or fails.
  • Required – the authentication provider is required, and authentication proceeds down the authentication provider list.
  • Requisite – the authentication provider is required, and subsequent behavior depends on whether authentication succeeds or fails.
Description None

(Optional) A meaningful string that describes the providers usage.

A description makes it easier to differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.
Client HTTP Values As Named Credentials None Comma-separated list of mappings that specify the names of attributes (headers and cookies) from the client HTTP communication channel that should be added as credentials after successful authentication and the corresponding names to be associated with the credentials. For example:
httpHeaderName:credentialName1
httpCookieName:credentialName2
Client HTTP Values As Name Principals None Comma-separated list of values of attributes (headers and cookies) from the client HTTP communication channel that should be added as name principals after successful authentication. For example:
clientPropertyName2, clientPropertyName10
Client HTTP Values As Role Principals None Comma-separated list of values of attributes (headers and cookies) from the client HTTP communication channel that should be added as role principals after successful authentication. For example:
clientPropertyName2, clientPropertyName10
Parent topic: Populate JAAS Subject From Client Provider
Related concepts
Populate JAAS Subject From Client Provider
Propagate Single Sign-on Using Populate JAAS Subject From Client
Related tasks
Creating and Configuring Security Profiles
Mapping a Logical Role to a Physical Role