Propagating a custom Java serializable object


Before you begin

Prior to completing this task, verify that security propagation is enabled in the administrative console.



With security attribute propagation enabled, one can propagate data either horizontally with single signon (SSO) enabled or downstream using Common Secure Interoperability version 2 (CSIv2). When a login occurs, either through an application login configuration or a system login configuration, a custom login module can be plugged in to add Java serializable objects into the Subject during login. This document describes how to add an object into the Subject from a login module and describes other infrastructure considerations to make sure that the Java object gets propagated.



  1. Add your custom Java object into the Subject from a custom login module. There is a two-phase process for each Java Authentication and Authorization Service (JAAS) login module. WebSphere Application Server completes the following processes for each login module present in the configuration:

    login() method

    In this step, the login configuration callbacks are analyzed, if necessary, and the new objects or credentials are created.

    commit() method

    In this step, the objects or credentials that are created during login are added into the Subject.

    After a custom Java object is added into the Subject, WAS serializes the object on the sending server, deserializes the object on the receiving server, and adds the object back into the Subject downstream. However, there are some requirements for this process to occur successfully. For more information on the JAAS programming model, see the JAAS information provided in Security: Resources for learning.Important: Whenever you plug a custom login module into the login infrastructure of WebSphere Application Server, make sure that the code is trusted. When you add the login module into the install_root/classes directory, the login module has Java 2 Security AllPermissions. It is recommended that you add your login module and other infrastructure classes into any private directory. However, modify the install_root/properties/server.policy file to make sure that your private directory, JAR file, or both have the permissions needed to execute the application programming interfaces (API) that are called from the login module. Because the login module might be executed after the application code on the call stack, you might add doPrivileged code so that you do not need to add additional properties to your applications.

    The following code sample shows how to add doPrivileged:

    public customLoginModule()
    public void initialize(Subject subject, CallbackHandler callbackHandler,
    Map sharedState, Map options)
    // (For more information on what to do during initialization, see
    // Custom login module development for a system login configuration.)

    public boolean login() throws LoginException
    // (For more information on what to do during login phase, see
    // Custom login module development for a system login configuration.)

    // Construct callback for the WSTokenHolderCallback so that you
    // can determine if
    // your custom object has propagated
    Callback callbacks[] = new Callback[1];
    callbacks[0] = new WSTokenHolderCallback("Authz Token List: ");

    catch (Exception e)
    throw new LoginException (e.getLocalizedMessage());

    // Checks to see if any information is propagated into this login
    List authzTokenList = ((WSTokenHolderCallback) callbacks[1]).

    if (authzTokenList != null)
    for (int i = 0; i< authzTokenList.size(); i++)
    TokenHolder tokenHolder = (TokenHolder)authzTokenList.get(i);

    // Look for your custom object. Make sure you use
    // "startsWith"because there is some data appended
    // to the end of the name indicating in which Subject
    // Set it belongs. Example from getName():
    // "com.acme.CustomObject (1)". The class name is
    // generated at the sending side by calling the
    // object.getClass().getName() method. If this object
    // is deserialized by WebSphere Application Server,
    // then return it and you do not need to add it here.
    // Otherwise, one can add it below.

    Note: If your class appears in this list and does
    // not use custom serialization (for example, an
    // implementation of the Token interface described in
    // the Propagation Token Framework), then WebSphere
    // Application Server automatically deserializes the
    // Java object for you. You might just return here if
    // it is found in the list.

    if (tokenHolder.getName().startsWith("com.acme.CustomObject"))
    return true;
    // If you get to this point, then your custom object has not propagated
    myCustomObject = new com.acme.CustomObject();
    myCustomObject.put("mykey", "mydata");

    public boolean commit() throws LoginException
    // (For more information on what to do during the commit phase, see
    // Custom login module development for a system login configuration.)

    // Assigns a reference to a final variable so it can be used in
    // the doPrivileged block
    final com.acme.CustomObject myCustomObjectFinal = myCustomObject;
    // Prevents your applications from needing a JAAS getPrivateCredential
    // permission.
    public Object run() throws java.lang.Exception
    // Try not to add a null object to the Subject or an object
    // that already exists.
    if (myCustomObjectFinal != null && !subject.getPrivateCredentials().
    // This call requires a special Java 2 Security permission,
    // see the JAAS Javadoc.
    return null;
    catch ( e)
    // Wraps the exception in a WSLoginFailedException
    java.lang.Throwable myException = e.getException();
    throw new WSLoginFailedException (myException.getMessage(), myException);

    // Defines your login module variables
    com.acme.CustomObject myCustomObject = null;

  2. Verify that your custom Java class implements the interface. An object that is added to the Subject must be serializable if you want the object to propagate. For example, the object must implement the interface. If the object is not serializable, the request does not fail, but the object does not propagate. To make sure that an object added to the Subject is propagated, implement one of the token interfaces defined in the Security attribute propagation article or add attributes to one of the following existing default token implementations:


    Add attributes if they are user-specific. For more information, see Default AuthorizationToken.


    Add attributes that are specific to an invocation. For more information, see Default PropagationToken.

    If you are careful adding custom objects and follow all the steps to make sure that WAS can serialize and deserialize the object at each hop, then it is sufficient to use custom Java objects only.

  3. Verify that your custom Java class exists on all of the systems that might receive the request. When you add a custom object into the Subject and expect WAS to propagate the object, make sure that the class definition for that custom object exists in the install_root/classes directory on all of the nodes where serialization or deserialization might occur. Also, verify that the Java class versions are the same.

  4. Verify that your custom login module is configured in all of the login configurations used in your environment where you would need to add your custom object during a login. Any login configuration that interacts with WAS generates a Subject that might be propagated outbound for an EJB request. If you want WebSphere Application Server to propagate a custom object in all cases, make sure that the custom login module is added to every login configuration that is used in your environment. For more information, see Custom login module development for a system login configuration.

  5. Verify that security attribute propagation is enabled on all of the downstream servers that receive the propagated information. When an EJB request is sent to a downstream server and security attribute propagation is disabled on that server, only the authentication token is sent for backwards compatibility. Therefore, review the configuration to verify that propagation is enabled in all of the cells that might receive requests. There are several places in the administrative console that check to make sure propagation is fully enabled. For more information, see Enabling security attribute propagation.

  6. Add any custom objects to the propagation exclude list that you do not want to propagate. One can configure a property to exclude the propagation of objects that match specific class names, package names, or both. For example, one can have a custom object that is related to a specific process. If the object is propagated, it does not contain valid information. You must tell WAS not to propagate this object. Complete the following steps to specify the object in the propagation exclude list, using the administrative console:

    1. Click Security > Global Security.

    2. Under Additional Properties, click Custom Properties > New.

    3. Add in the Name field.

    4. Add the name of the custom object in the Value field. You can add a list of custom objects to the propagation exclude list separated by a colon. For example, you might enter com.acme.CustomLocalObject:com.acme.private.*. You can enter a class name such as com.acme.CustomLocalObject or a package name such as com.acme.private.*. In this example, WAS does not propagate any class that equals com.acme.CustomLocalObject or begins with com.acme.private..

      Although one can add custom objects to the propagation exclude list, be aware of a side effect. WAS stores the opaque token, or the serialized Subject contents, in a local cache for the life of the single signon (SSO) token. The life of the SSO token, which has a default of two hours, is configured in the SSO properties on the administrative console. The information that is added to the opaque token includes only the objects not in the exclude list. If your authentication cache does not match your SSO token timeout, you might get a Subject on the local server that is regenerated from the opaque token but does not contain the objects on the exclude list. The authentication cache, which has a default of ten minutes, is configured on the Global Security panel on the administrative console. It is recommended that you make your authentication cache timeout value equal to the SSO token timeout so that the Subject contents are consistent locally.



As a result of this task, custom Java serializable objects are propagated horizontally or downstream. For more information on the differences between horizontal and downstream propagation, see Security attribute propagation.


See Also

Security attribute propagation


Related Tasks

Enabling security attribute propagation


See Also

Security: Resources for learning
Custom login module development for a system login configuration
Default AuthorizationToken
Default PropagationToken




WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.