Security Access Manager WebSEAL provides the ability to pass HTTP headers or cookies to a C-based external authentication module. You can specify one or more headers and/or cookies to be passed to the module. While headers and cookies are configured separately, they are conceptually the same, so they will both be referred to as "headers" in the following sections.
It is critical that your architecture be designed such that WebSEAL can trust the incoming HTTP header. A typical deployment might be a set of kiosks or wireless access point (WAP) gateways that authenticate the users and pass the authenticated identity to WebSEAL over a secured network.
WebSEAL ships with a sample authentication module that is built specifically to map data obtained from Entrust Proxy headers. When you enable HTTP header authentication using the built-in authentication module, you should disable all other authentication methods. You should accept connections only from the Entrust Proxy. Disabling other authentication methods eliminates methods that could be used to impersonate custom HTTP header data.
You can optionally customize the HTTP header authentication module to authenticate other types of special header data and, optionally, map this data to a Security Access Manager identity. For information on customizing authentication modules, see the IBM Security Access Manager for Web: Web Security Developer Reference.
Usage notes: