Junction handling of extended credential attributes
The user-defined credential information created in the previous section can be placed in an HTTP header of the request sent across a junction to a back-end server.
We must configure the junction to extract extended attribute data from the credential and insert the data into the HTTP header of the request. This functionality is achieved by setting a junction extended attribute, called HTTP-Tag-Value, on the junction object in the WebSEAL protected object space.
We use the pdadmin object modify set attribute command to set extended attributes on a junction object in the WebSEAL protected object space.
pdadmin> object modify object_name set attribute attr_name attr_value
An extended attribute (attr_name) enables the junction to perform a specific type of functionality. The HTTP-Tag-Value extended attribute instructs the junction to extract a particular value from a user's credential and send the value to the back-end server in an HTTP header. The value of the HTTP-Tag-Value extended attribute uses the following format:
credential_extended_attribute_name = http_header_name
The credential_extended_attribute_name entry is the same as the attribute specified in the WebSEAL configuration file but without the "tagvalue_" prefix. The entry is not case-sensitive. The http_header_name entry specifies the name of the HTTP header used to deliver the data across the junction.
For example:
pdadmin> object modify /WebSEAL/WS1/junctionA set attribute HTTP-Tag-Value credattrs_lastname=surname
When WebSEAL processes a user request to a back-end application server, it looks for any HTTP-Tag-Value attributes configured on the junction object.
In this example, the configured junction looks at the credential of the user making the request, extracts the value of the tagvalue_credattrs_lastname credential extended attribute, and places it in an HTTP header as:
surname:Smith
In summary:
Description Header text Value of HTTP-Tag-Value attribute
set on the junction object:credattrs_lastname=surname Attribute name and value as they
appear in the user credential
(since tagvalue_credattrs_lastname=sn):tagvalue_credattrs_lastname:Smith HTTP header name and value: surname:Smith
If the back-end application is a CGI application, the CGI specification dictates that HTTP headers are made available to CGI programs as environment variables in the form:
HTTP_http_header_name
For example:
HTTP_surname=Smith
Multiple user attribute data can be passed to the junctioned server in HTTP headers by using multiple pdadmin object modify set attribute commands to specify multiple HTTP-Tag-Value junction attributes (one attribute is specified per command).
- HTTP-Tag-Value extended attributes must be attached directly to the junction
- tagvalue_always extended attribute
Parent topic: Extended attributes for credentials