View Source

This functionality is deprecated and will be removed in a future version. We recommend using OpenID connect for OAuth 2.0 instead of JWT.

CAC/PIV card users can open a browser to CTP and authenticate automatically via JWT Access Token for OAuth 2.0. To set this up, you will need to ensure that a few CTP roles are granted certain permissions in your JWT authorities array and modify CTP's security XML file. Additionally, you can configure a single-sign-on (SSO) logout URL to which users will be redirected when they log out.

Expected CTP roles in the JWT authorities array

CTP will expect the following roles to have the associated permissions in your JWT authorities array:

Role	Permissions
CTP_ADMIN	Full permissions to all resources
CTP_SYSTEM	Read/write/create/execute/delete permissions to granted resources only
CTP_BASIC	Read/execute permissions to granted resources only

Configuring the CTP Security XML File

CTP's applicationContext-security.xml file contains the necessary elements to allow JWT access token for OAuth 2.0, though they are commented out by default. You will need to uncomment them and provide a few configurations specific to your setup enable JWT access token for OAuth 2.0.

When CTP is deployed in Apache Tomcat, the applicationContext-security.xml file can be found in the following location:

<TOMCAT_DIR>/webapps/em/WEB-INF/classes/META-INF/spring/

You will need to make the following modifications to this file:

Uncomment the pre-authorization filter

Uncomment the line shown below to enable the pre-authorization filter:

<!-- <custom-filter position="PRE_AUTH_FILTER" ref="BearerTokenAuthFilter"/> -->

Uncomment the authentication provider

Uncomment the line shown below to enable the authentication provider:

<!-- <authentication-provider ref="BearerTokenAuthProvider" /> -->

Uncomment and configure the bearer token beans

Uncomment the lines shown below to enable bearer token beans, then configure the values for JWKS endpoint and claims.

The first argument corresponds to the JWKS set URL of the authorization server.
The second argument ("usernameClaim") corresponds to the claim used to identify the user. This argument is optional and if not provided will default to the 'subject' embedded in the JWT token.
The third argument ("userRoleClaim") corresponds to the claim used to identify the roles of the user. This argument is optional and if not provided will not set the role of the user.
- In the case of nested JSON Objects, separate the key with a period. For example: roleOuterKey.roleInnerKey.

<!--
<beans:bean id="BearerTokenAuthProvider"        class="com.parasoft.ctp.web.security.CTPBearerTokenAuthenticationProvider">
    <beans:constructor-arg><beans:value>http://localhost:8080/.well-known/jwks.json</beans:value></beans:constructor-arg>
    <beans:constructor-arg name="usernameClaim"><beans:value></beans:value></beans:constructor-arg>
    <beans:constructor-arg name="userRoleClaim"><beans:value></beans:value></beans:constructor-arg>
</beans:bean>
<beans:bean id="BearerTokenAuthFilter"        class="com.parasoft.ctp.web.security.CTPBearerTokenAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
</beans:bean>
-->

Customizing a Single-Sign-On (SSO) Logout URL

A single-sign-on (SSO) logout URL can be customized by modifying the following bean in applicationContext-security.xml:

<beans:bean id="logoutSuccessHandler" class="com.parasoft.ctp.web.security.CTPLogoutSuccessHandler">
    <!-- specify a URL that the user will be redirected to after they logout -->
    <beans:constructor-arg><beans:value></beans:value></beans:constructor-arg>
</beans:bean>