Technical Notes

My online notepad

Unauthenticated Access to WebSEAL Junctions

Posted by Anton Khitrenovich on January 8, 2012

[ Update (April 2013): How to perform this task with ‘pdadmin’ utility. ]

By default WebSEAL junctions do not require any specific authentication for external access – they just derive the default ACL definition of the WebSEAL. However, this default ACL does not allow access to unauthenticated users. So, efficiently the users have to pass authentication with any available authentication method to gain access rights for the junction that does not need any specific authentication.

Here I will explain how to define unauthenticated junction – a junction that allows access to any user, including users that did not pass WebSEAL authentication at all. In fact, creating unauthenticated junction in WebSEAL is super-easy and super-simple when you are experienced WebSEAL professional. If you are a newbie or WebSEAL administration is not among your main tasks, the logic of this flow is not so trivial to guess (or even recall). 

In the next steps I will assume the following:

  • server hostname is
  • WebSEAL instance name is default
  • WebSEAL junction to be modified is jct

[Note for newbies: WebSEAL administration console can usually be found on, and the junction to be configured for unauthenticated access is]

Step 1: Create “passthrough” ACL

We’ll create ACL that allows unauthenticated access by cloning and modifying default ACL.

In WebSEAL administration console:

  1. Go to ACL → List ACL
  2. Click on default-webseal ACL
  3. Click on Clone
  4. Specify the following:
    • Name: webseal-passthrough (just an example – use any other name you like, but remember it for step 2)
    • Description: WebSEAL Passthrough (optional, for your convenience)
  5. Click on Clone
  6. Click on ACL name to go to edit page
  7. Add access rights for unauthenticated users
    1. Click on Create… button
    2. Select Unauthenticated from entry type combo box
    3. Mark check boxes near Tr and x permissions
    4. Click on Apply, then Done
  8. Verify that Any-other entry has at least the same permissions, adjust if needed

The “passthrough” ACL is ready for use.

Step 2: Attach “passthrough” ACL to the junction

We’ll attach previously created ACL to the junction that requires unauthenticated access.

In WebSEAL administration console:

  1. Go to ACL → List ACL
  2. Click on webseal-passthrough ACL (here you have to use the name from step 1)
  3. Go to Attach tab in the properties page
  4. Click on Attach…
  5. Fill object path: /WebSEAL/
  6. Click on Attach

Verify that unauthenticated access to the junction is allowed.

3 Responses to “Unauthenticated Access to WebSEAL Junctions”

  1. […] posting another WebSEAL HOWTO recently, I feel it is the right time to post my collection of WebSEAL-related resources and […]

  2. […] year ago I posted an explanation about unauthenticated junctions for WebSEAL. Let’s do the similar task with pdadmin – […]

  3. […] continue our example about unauthenticated junctions in WebSEAL and attach our passthrough ACL to some resource – for example, the famous […]

Leave a Comment

Your email address will not be published. Required fields are marked *