Sticky FAQs

»

ID #1192

How to set up HMAC authentication on a Muse Proxy application?

The overall steps would be:
1) Create the new application as copy of the MuseProxyFoundation template, the ID of the new application to be MuseProxyFoundationHMAC for example.

2) Edit the file

$MUSE_HOME\proxy\webcontexts\Applications\MuseProxyFoundationHMAC\

profiles\AuthenticationGroups.xml

and do the following:

- Locate the

/ICE-CONFIG/AUTHENTICATION_GROUPS/AUTHENTICATION_GROUP/AUTHENTICATIONS

node and remove its content, thus obtaining an empty node:

<AUTHENTICATIONS>
</AUTHENTICATIONS>

- Edit the value of the node

/ICE-CONFIG/AUTHENTICATION_GROUPS/AUTHENTICATION_GROUP/NAME
to be:

HMAC Authentication

- Add the following sequence under the node

/ICE-CONFIG/AUTHENTICATION_GROUPS/AUTHENTICATION_GROUP/AUTHENTICATIONS

<AUTHENTICATION>
<IDENTIFIER>9</IDENTIFIER>
<LEVEL>requisite</LEVEL>
<CLASS>com.edulib.muse.proxy.authentication.modules.ProxyLoginModuleHMAC
</CLASS>

<HANDLER>
<CLASS>com.edulib.muse.proxy.authentication.modules

.ProxyLoginModuleHMACDataHandlerXml</CLASS>
<PARAMETERS>
<CONFIGURATION_FILE>${WEB_CONTEXT_HOME}/profiles/login
/ProxyLoginModuleHMAC.xml</CONFIGURATION_FILE>
</PARAMETERS>
</HANDLER>
</AUTHENTICATION>

(make sure that after pasting the content the XML file is still valid)

3) Refresh the applications properties via the  Muse Proxy Administrator Console ->  Advanced  left menu section ->  Operations  item ->  Refresh Applications  button.
Now the MuseProxyFoundationHMAC is set with HMAC authentication.

4) Establish and configure the parameters for the HMAC authentication. For this edit the file:
$MUSE_HOME\proxy\webcontexts\Applications\MuseProxyFoundationHMAC
\profiles\login\ProxyLoginModuleHMAC.xml

and make changes according to your requirements. E.g. you may want to change the secret value (default is  quiet) and the parameters that you want to hash as part of the signature. By default only the  userName  (Application ID) and  timestamp  are used, however you can add the  userAgent  and/or  referer  and/or  userAddress  to be hashed.

We assume for the examples purposes that all defaults remain (e.g. the  quiet  secret and  userName.timestamp  as message to sign with  HmacSHA1).

Assuming that you want to proxify an URL (ex. http://www.amazon.com/) for the MuseProxyFoundationHMAC Muse Proxy application, the generated HMAC URL will look like:

http://MUSE_PROXY_HOST:PORT/MuseProxyFoundationHMAC?userName=MuseProxyFoundationHMAC
&ts=1469524141&sig=ee5a160dbd37c4867e34e6147a3421d2289bec14
&qurl=http%3A%2F%2Fwww.amazon.com%2F


where MUSE_PROXY_HOST:PORT are the Muse Proxy server details.

Note that by default the validity of this URL is 30 seconds.

For more detailed information on enabling and configuring HMAC authentication refer to the  Muse Proxy Advanced Configuration.pdf  manual,  6.4.5.8 ProxyLoginModuleHMAC  chapter.

5) Create your server side implementation that will generate dynamically the HMAC link(s).


Notes:

1) The generated HMAC URL will work only for 30 seconds (configurable in the value of the  TS_EXPIRY  field in  $MUSE_HOME\proxy\webcontexts\Applications\MuseProxyFoundationHMAC
\profiles\login\ProxyLoginModuleHMAC.xml)

2) The server generating the HMAC links and the Muse Proxy server must be time synchronized. This is a must, otherwise if the 2 machines are not synchronized with regard to the time, the HMAC links will not work due to the validity value of the signature.
3) If you create proxified links, the destination URL (e.g the value of the  qurl  parameter) must be URL encoded.

Tags: application, authentication, configuration, HMAC, muse, proxy, set up

Related entries: -

Last update: 2016-08-02 13:46
Author: Administrator
Revision: 1.85

Print this record Send FAQ to a friend Show this as PDF file
Rate this FAQ

Average rating: 0 (0 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry

powered by phpMyFAQ 2.7.2