Google Search Appliance (GSA) Valve Security Framework

Readme

Strategic and secure information sources are naturally becoming key repositories that customers want to make searchable. Since search is a platform and not just an application commodity, it is a pre-requisite to cope with heterogeneous security systems in order to seamlessly roll-out an Enterprise-wide secure search capability.

The search appliance can nicely integrate with popular single sign-on (SSO) systems, forms-based authentication systems and negotiate HTTP Basic and NTLM authentications/authorizations. However, it can’t substitute the need for a unified authentication process across all secure sources. Heterogeneous sources may require different sets of credentials which make the search experience painful for the end-user, having to authenticate multiple times when querying. Additionally, the appliance may not be able in certain cases to cope with complex and non-standard authentication and/or authorization processes which may put at risk the deployment of search technology.

The GSA Valve Security Framework was designed to answer both of these issues. It exposes a global authentication capability to the search user and then loads transparently the sets of credentials that are relevant to each indexed sources. It is a framework that can easily be extended to support the specifics of new repositories in terms of authentication and authorization processes. You can easily extend it creating new authentication and authorization modules that offer new capabilities making the Security Framework fully working with your custom content repositories.

This authentication and authorization framework acts as a content proxy and can be considered as a quick, simple and low-cost alternative to a single sign-on (SSO) system. It can be integrated as well with third-party SSO solutions in those situations where the corporate SSO doesn’t secure all the searchable applications.

This framework supports two different interfaces for serving content in the search appliance:

• Forms Based Authentication (Web Single Sign-On): the primary frontend that was supported from the beginning was Forms Based Authentication as it’s known in the GSA terminology. It really acts as a Single Sign-On, as the user has this experience and all the request are treated by this frontend.
• SAML (Security Assertion Markup Language): this is a security standard supported by the GSA. Since GSA Security Framework version 2, it’s offered a SAML-enabled frontend.

Latest Changes

Release 2.0 - June 18 2008

• SAML frontend that can be used as an alternative mechanism to the Forms Based one to be integrated with the Google Search Appliance (GSA). It supports exactly the same scenarios as the Forms Based one does.
• The root Authentication and Authorization processes have been redisigned to be more scalable.
• A new attribute at the repository level, checkAuthN, permits not to process any authentication classes. This is useful when the authentication module created for integrating a repository, is not necessary to be processed due to whatever reason (it was already processed by another module, only authZ oriented, ...)
• The referer cookie can be now set up in the config file.
• Authentication cookie content is now URL encoded.
• Code documentation
• Session implementation has been improved to solve some issues.
• Some other minor issues found in projects have been solved.

Release 1.4.1 - March 19 2008

• Error management feature added. It shows customized errors messages
• Max age is now implemented in all the authentication cookies
• Basic AuthN/AuthZ: new cookie information avoiding the use of "Basic " 
• Sessions are now synchronized
• setIsNegotiate method has been deleted from the authentication process classes

Release 1.4 - Jan 07 2008

• Added support to Kerberos authentication
• Added support for managing Sessions in the Valve. It's also able to store cookies in the session
• New deployment scenarios implemented in the Valve, including the possibility to mix both Kerberos and non Kerberos authentication
• New Kerberos servlet that suports Kerberos native authentication
• Authenticate servlet supports now multiple credentials both for Kerberos and Username/Password
• The Valve configuration file has been extended to support both Kerberos and Sessions
• New package architecture that organizes the authentication and authorization modules
• LDAP configuration have been moved to the configuration file. The same for LDAPSSO.
• New URL encoding processing compatible with Windows sources
• Authentication Cookies obtained from the sources can be sent back to the browser and/or stored in the session for further authentication/authorization
• New Credentials implementation managed through a Vector
• Root authentication is now independent from the credentials, that have to be sent by a Credentials object
• HTTPBasic and Kerberos authorization now efficiently treats HEAD requests coming from the GSAs
• New utilities have been created to process files when authorizing. These classes can be used by all the AuthN/AuthZ modules
• More efficient non HTML file authorization processing. The processing is made in memory by document blocks, instead opening the whole document
• HTTPVisitor class now supports more processing cases
• Multiple HTTP connections support. The number of connections are now configurable in the config file

Release 1.3.1 - Nov 22 2007

• Fixed problem of returning back to search page after inital login at start of authN process. The valve first looks for a referer header and if it exists and is a valid GGSA host it will create a cookie At the point where the valve redirects back to the search page it will do one of the following (in order)
  • Use the valve set in the gsaRequestHost cookie if it exists
  • Look for a gsaHost parameter in the search query sting
  • Use the first GSA host defined in the searchHosts array in the valve configuration file
• Version number of the build now including in the name of the valve.jar (valve_${version}.jar)

Release 1.3 - Oct 28 2007

• Added support to configure the valves authN and authZ classes via an xml configuration file.
• Added support for multiple GSAs using the same Valve Security Framework 
  

More Information

Check the latest documentation available at < http://code.google.com/p/gsa-valve-security-framework/> in order to know how the application can be deployed and get more information.