0

I'm wondering how I could disable the access to /identityservices/* and to other opensso / openam servlets.

The thing is that I wrote my own authentication module for strong authentication. The fact that /identityservices/* allows to obtain a token.id with only username and password is not secure enough in my case, and I would like to disable it.

I think I can disable it by changing opensso / openam web.xml, but I wonder if there is any "smarter" way to do it.

Any suggestion ? Thanks for help

morbac
  • 301
  • 4
  • 16

2 Answers2

1

There are no other ways from OpenAM point of view. Of course you could 'protect' OpenAM with a reverse-proxy which does not allow to request those URLs.

If you disable module-based authentication and do not have an auth-chain which allows for username/password auth it might not be an issue anyway

Bernhard Thalmayr
  • 2,674
  • 1
  • 11
  • 7
  • I'm wondering if I cannot play with authentication level to perform this. I guess that if I configure the realm to require a higher authentication level, only modules which are equals or higher that this level will allow authentication. – morbac Feb 06 '13 at 08:49
0

The OpenAM documentation mention another way to "minimize exposure of OpenAM": the distributed authentication service. More informations here: http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/install-guide/index/chap-install-das.html

morbac
  • 301
  • 4
  • 16