CAC/PIV card users can open a browser to CTP and authenticate automatically via JWT Access Token for OAuth 2.0. To set this up, you will need to ensure that a few CTP roles are granted certain permissions in your JWT authorities array and modify CTP's security XML file. Additionally, you can configure a single-sign-on (SSO) logout URL to which users will be redirected when they log out.
Expected CTP roles in the JWT authorities array
CTP will expect the following roles to have the associated permissions in your JWT authorities array:
| Role | Permissions |
|---|---|
| CTP_ADMIN | Full permissions to all resources |
| CTP_SYSTEM | Read/write/create/execute/delete permissions to granted resources only |
| CTP_BASIC | Read/execute permissions to granted resources only |
Configuring the CTP Security XML File
CTP's applicationContext-security.xml file contains the necessary elements to allow JWT access token for OAuth 2.0, though they are commented out by default. You will need to uncomment them and provide a few configurations specific to your setup enable JWT access token for OAuth 2.0.
When CTP is deployed in Apache Tomcat, the applicationContext-security.xml file can be found in the following location:
tomcat/webapps/em/WEB-INF/classes/META-INF/spring/applicationContext-security.xml
You will need to make the following modifications to this file:
Uncomment the pre-authorization filter
Uncomment the line shown below to enable the pre-authorization filter:
<!-- <custom-filter position="PRE_AUTH_FILTER" ref="BearerTokenAuthFilter"/> -->
Uncomment the authentication provider
Uncomment the line shown below to enable the authentication provider:
<!-- <authentication-provider ref="BearerTokenAuthProvider" /> -->
Uncomment and configure the bearer token beans
Uncomment the lines shown below to enable bearer token beans, then configure the values for JWKS endpoint and claims.
- The first argument corresponds to the JWKS set URL of the authorization server.
- The second argument ("usernameClaim") corresponds to the claim used to identify the user. This argument is optional and if not provided will default to the 'subject' embedded in the JWT token.
- The third argument ("userRoleClaim") corresponds to the claim used to identify the roles of the user. This argument is optional and if not provided will not set the role of the user.
- In the case of nested JSON Objects, separate the key with '.' Example: roleOuterKey.roleInnerKey.
<!--
<beans:bean id="BearerTokenAuthProvider" class="com.parasoft.ctp.web.security.CTPBearerTokenAuthenticationProvider">
<beans:constructor-arg><beans:value>http://localhost:8080/.well-known/jwks.json</beans:value></beans:constructor-arg>
<beans:constructor-arg name="usernameClaim"><beans:value></beans:value></beans:constructor-arg>
<beans:constructor-arg name="userRoleClaim"><beans:value></beans:value></beans:constructor-arg>
</beans:bean>
<beans:bean id="BearerTokenAuthFilter" class="com.parasoft.ctp.web.security.CTPBearerTokenAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
</beans:bean>
-->
Customizing a Single-Sign-On (SSO) Logout URL
A single-sign-on (SSO) logout URL can be customized by modifying the following bean in applicationContext-security.xml:
<beans:bean id="logoutSuccessHandler" class="com.parasoft.ctp.web.security.CTPLogoutSuccessHandler">
<!-- specify a URL that the user will be redirected to after they logout -->
<beans:constructor-arg><beans:value></beans:value></beans:constructor-arg>
</beans:bean>
