Example: Custom login module for inbound mapping
This sample shows a custom login module that creates a java.util.Hashtable hastable that is based on the specified NameCallback callback. The java.util.Hashtable hash table is added to the sharedState java.util.Map so that the WAS login modules can locate the information in the Hashtable.
public customLoginModule()
{
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options)
{
// (For more information on initialization, see
// Custom login module development for a system login configuration.)
_sharedState = sharedState;
}
public boolean login() throws LoginException
{
// (For more information on what to do during login, see
// Custom login module development for a system login configuration.)
// Handles the WSTokenHolderCallback to see if this is an initial or
// propagation login.
javax.security.auth.callback.Callback callbacks[] =
new javax.security.auth.callback.Callback[3];
callbacks[0] = new javax.security.auth.callback.NameCallback("");
callbacks[1] = new javax.security.auth.callback.PasswordCallback(
"Password: ", false);
callbacks[2] = new com.ibm.websphere.security.auth.callback.
WSCredTokenCallbackImpl("");
callbacks[3] = new com.ibm.wsspi.security.auth.callback.
WSTokenHolderCallback("");
try
{
callbackHandler.handle(callbacks);
}
catch (Exception e)
{
// Handles the exception
}
// Determines which callbacks contain information
boolean identitySwitched = false;
String uid = ((NameCallback) callbacks[0]).getName();
char password[] = ((PasswordCallback) callbacks[1]).getPassword();
byte[] credToken = ((WSCredTokenCallbackImpl) callbacks[2]).getCredToken();
java.util.List authzTokenList = ((WSTokenHolderCallback) callbacks[3]).
getTokenHolderList();
if (credToken != null)
{
try
{
String uniqueID = WSSecurityPropagationHelper.validateLTPAToken(credToken);
String realm = WSSecurityPropagationHelper.getRealmFromUniqueID (uniqueID);
// Set the string to the UID so use the information to either
// map or login.
uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueID);
}
catch (Exception e)
{
// handle exception
}
}
else if (uid == null)
{
// Invalid authentication data. You must have either UID or CredToken
throw new WSLoginFailedException("invalid authentication data.");
}
else if (uid != null && password != null)
{
// This is a typical authentication. We can choose to map this ID to
// another ID or one can skip it and allow WebSphere Application Server
// to login for you. When passwords are presented, be very careful not to
// validate the password because this is the initial authentication.
return true;
}
// If desired, map this uid to something else and set the identitySwitched
// boolean. If the identity is changed, clear the propagated attributes below
// so they are not used incorrectly.
uid = myCustomMappingRoutine (uid);
// Clear the propagated attributes because they no longer apply to the new identity
if (identitySwitched)
{
((WSTokenHolderCallback) callbacks[3]).setTokenHolderList(null);
}
boolean requiresLogin = ((com.ibm.wsspi.security.auth.callback.
WSTokenHolderCallback) callbacks[2]).requiresLogin();
if (requiresLogin || identitySwitched)
{
// Retrieves the default InitialContext for this server.
javax.naming.InitialContext ctx = new javax.naming.InitialContext();
// Retrieves the local UserRegistry object.
com.ibm.websphere.security.UserRegistry reg =
(com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry");
// Retrieves the registry uniqueID based on the uid that is specified
// in the NameCallback.
String uniqueid = reg.getUniqueUserId(uid);
uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueID);
// Retrieves the display name from the user registry based on the uniqueID.
String securityName = reg.getUserSecurityName(uid);
// Retrieves the groups associated with this uniqueID.
java.util.List groupList = reg.getUniqueGroupIds(uid);
// Creates the java.util.Hashtable with the information that you gathered
// from the UserRegistry.
java.util.Hashtable hashtable = new java.util.Hashtable();
hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_UNIQUEID, uniqueid);
hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_SECURITYNAME, securityName);
hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_GROUPS, groupList);
// Adds a cache key that is used as part of the look up mechanism for
// the created Subject. The cache key can be an object, but should have
// an implemented toString() method. Make sure the cacheKey contains enough
// information to scope it to the user and any additional attributes you are
// using. If you do not specify this property, the Subject is scoped to the
// WSCREDENTIAL_UNIQUEID returned, by default.
hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_CACHE_KEY, "myCustomAttribute" + uniqueid);
// Adds the hashtable to the sharedState of the Subject.
_sharedState.put(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_PROPERTIES_KEY, hashtable);
}
else if (requiresLogin == false)
{
// For more information on this section, see
// Security attribute propagation.
// If you added a custom Token implementation, one can search through the
// token holder list for it to deserialize.
//Note: Any Java objects are automatically deserialized by
// wsMapDefaultInboundLoginModule
for (int i=0; i<authzTokenList.size(); i++)
{
if (authzTokenList[i].getName().equals("com.acme.MyCustomTokenImpl")
{
byte[] myTokenBytes = authzTokenList[i].getBytes();
// Passes these bytes into the constructor of your implementation
// class for deserialization.
com.acme.MyCustomTokenImpl myTokenImpl =
new com.acme.MyCustomTokenImpl(myTokenBytes);
}
}
}
}
public boolean commit() throws LoginException
{
// (For more information on what to do during a commit, see
// Custom login module development for a system login configuration.)
// Not doing anything here for this specific example
}
// Defines your login module variables
com.ibm.wsspi.security.token.AuthorizationToken customAuthzToken = null;
com.ibm.wsspi.security.token.AuthenticationToken defaultAuthToken = null;
java.util.Map _sharedState = null;
}
See Also
Security attribute propagation
See Also
Custom login module development for a system login configuration