Junction handling of extended credential attributes

The user-defined credential information created in the previous section can be placed in an HTTP header of the request that is sent across a junction to a back-end server.

You must configure the junction to extract extended attribute data from the credential and insert the data into the HTTP header of the request. This functionality is achieved by setting a junction extended attribute, called HTTP-Tag-Value, on the junction object in the WebSEAL protected object space.

You use the pdadmin object modify set attribute command to set extended attributes on a junction object in the WebSEAL protected object space.

pdadmin> object modify object_name set attribute attr_name attr_value

Note: The above command must be entered as one continuous command line.

An extended attribute (attr_name) enables the junction to perform a specific type of functionality. The HTTP-Tag-Value extended attribute instructs the junction to extract a particular value from a user's credential and send the value to the back-end server in an HTTP header. The value of the HTTP-Tag-Value extended attribute uses the following format:

credential_extended_attribute_name = http_header_name

The credential_extended_attribute_name entry is the same as the attribute specified in the WebSEAL configuration file but without the "tagvalue_" prefix. The entry is not case-sensitive. The http_header_name entry specifies the name of the HTTP header used to deliver the data across the junction.

For example (entered as one line):

pdadmin> object modify /WebSEAL/WS1/junctionA set attribute
HTTP-Tag-Value credattrs_lastname=surname

When WebSEAL processes a user request to a back-end application server, it looks for any HTTP-Tag-Value attributes configured on the junction object.

In this example, the configured junction looks at the credential of the user making the request, extracts the value of the tagvalue_credattrs_lastname credential extended attribute, and places it in an HTTP header as:

surname:Smith

In summary:

Value of HTTP-Tag-Value attribute set on the junction object:	`credattrs_lastname=surname`
Attribute name and value as they appear in the user credential (since `tagvalue_credattrs_lastname=sn`):	`tagvalue_credattrs_lastname:Smith`
HTTP header name and value:	`surname:Smith`

If the back-end application is a CGI application, the CGI specification dictates that HTTP headers are made available to CGI programs as environment variables in the form:

HTTP_http_header_name

For example:

HTTP_surname=Smith

Multiple user attribute data can be passed to the junctioned server in HTTP headers by using multiple pdadmin object modify set attribute commands to specify multiple HTTP-Tag-Value junction attributes (one attribute is specified per command).