Versions Compared

Old Version 1

changes.mady.by.user Hiromi Takahashi

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space FUNCTDEV and version SVC2023.2
Info

This functionality is deprecated and will be removed in a future version. We recommend using OpenID connect for OAuth 2.0 instead of JWT.

CAC/PIV card users can open a browser to CTP and authenticate automatically via JWT Access Token for OAuth 2.0. To set this up, you will need to ensure that a few CTP roles are granted certain permissions in your JWT authorities array and modify CTP's security XML file. Additionally, you can configure a single-sign-on (SSO) logout URL to which users will be redirected when they log out.

...

Configuring the CTP Security XML File

CTP's applicationContext-security.xml file contains the necessary elements to allow JWT access token for OAuth 2.0, though they are commented out by default. You will need to uncomment them and provide a few configurations specific to your setup enable JWT access token for OAuth 2.0.

When CTP is deployed in Apache Tomcat, the applicationContext-security.xml file can be found in the following location:

tomcat<TOMCAT_DIR>/webapps/em/WEB-INF/classes/META-INF/spring/applicationContext-security.xml

You will need to make the following modifications to this file:

...

  • The first argument corresponds to the JWKS set URL of the authorization server.
  • The second argument ("usernameClaim") corresponds to the claim used to identify the user. This argument is optional and if not provided will default to the 'subject' embedded in the JWT token.
  • The third argument ("userRoleClaim") corresponds to the claim used to identify the roles of the user. This argument is optional and if not provided will not set the role of the user.
    • In the case of nested JSON Objects, separate the key with '.' Examplea period. For example: roleOuterKey.roleInnerKey.
Code Block
languagetext
<!--
<beans:bean id="BearerTokenAuthProvider"        class="com.parasoft.ctp.web.security.CTPBearerTokenAuthenticationProvider">
    <beans:constructor-arg><beans:value>http://localhost:8080/.well-known/jwks.json</beans:value></beans:constructor-arg>
    <beans:constructor-arg name="usernameClaim"><beans:value></beans:value></beans:constructor-arg>
    <beans:constructor-arg name="userRoleClaim"><beans:value></beans:value></beans:constructor-arg>
</beans:bean>
<beans:bean id="BearerTokenAuthFilter"        class="com.parasoft.ctp.web.security.CTPBearerTokenAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
</beans:bean>
-->

...

A single-sign-on (SSO) logout URL can be customized by modifying the following bean in applicationContext-security.xml:

Code Block
languagetext
<beans:bean id="logoutSuccessHandler" class="com.parasoft.ctp.web.security.CTPLogoutSuccessHandler">
    <!-- specify a URL that the user will be redirected to after they logout -->
    <beans:constructor-arg><beans:value></beans:value></beans:constructor-arg>
</beans:bean>

...