[ Update (April 2013): How to perform this task with ‘pdadmin’ utility. ]
By default WebSEAL junctions do not require any specific authentication for external access – they just derive the default ACL definition of the WebSEAL. However, this default ACL does not allow access to unauthenticated users. So, efficiently the users have to pass authentication with any available authentication method to gain access rights for the junction that does not need any specific authentication.
Here I will explain how to define unauthenticated junction – a junction that allows access to any user, including users that did not pass WebSEAL authentication at all. In fact, creating unauthenticated junction in WebSEAL is super-easy and super-simple when you are experienced WebSEAL professional. If you are a newbie or WebSEAL administration is not among your main tasks, the logic of this flow is not so trivial to guess (or even recall).
In the next steps I will assume the following:
- server hostname is myserver.com
- WebSEAL instance name is default
- WebSEAL junction to be modified is jct
[Note for newbies: WebSEAL administration console can usually be found on http://myserver.com/pdadmin/, and the junction to be configured for unauthenticated access is https://myserver.com:444/jct.]
Step 1: Create “passthrough” ACL
We’ll create ACL that allows unauthenticated access by cloning and modifying default ACL.
In WebSEAL administration console:
- Go to ACL → List ACL
- Click on default-webseal ACL
- Click on Clone
- Specify the following:
- Name: webseal-passthrough (just an example – use any other name you like, but remember it for step 2)
- Description: WebSEAL Passthrough (optional, for your convenience)
- Click on Clone
- Click on ACL name to go to edit page
- Add access rights for unauthenticated users
- Click on Create… button
- Select Unauthenticated from entry type combo box
- Mark check boxes near T, r and x permissions
- Click on Apply, then Done
- Verify that Any-other entry has at least the same permissions, adjust if needed
The “passthrough” ACL is ready for use.
Step 2: Attach “passthrough” ACL to the junction
We’ll attach previously created ACL to the junction that requires unauthenticated access.
In WebSEAL administration console:
- Go to ACL → List ACL
- Click on webseal-passthrough ACL (here you have to use the name from step 1)
- Go to Attach tab in the properties page
- Click on Attach…
- Fill object path: /WebSEAL/myserver.com-default/jct
- Click on Attach
Verify that unauthenticated access to the junction is allowed.
3 thoughts on “Unauthenticated Access to WebSEAL Junctions”