Customizing an application login to perform an identity assertion

Using the JAAS login framework, you can create a JAAS login configuration that can be used to perform login to an identity assertion.

 

Before you begin

You can allow an application or system provider to perform an identity assertion with trust validation. To do this, you use the JAAS login framework, where trust validation is accomplished in one login module and credential creation is accomplished in another module. The two custom login modules allow you to create a JAAS login configuration that can be used to perform a login to an identity assertion.

Two custom login modules are required:

User implemented trust association login module (trust validation)

The user implemented trust association login module performs whatever trust verification the user requires. When trust is verified, the trust verification status and the login identity should be put into a map in the share state of the login module so that the credential creation login module can use the information. This map should be stored in the property:

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state
(which consists of)

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
(which is set to true if trusted and false if not trusted)

com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal
(which contains the principal of the identity)

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
(which contains the certificate of the identity)

Identity assertion login module (credential creation)

The com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule performs the credential creation. This module relies on the trust state information being in the login context’s shared state. This login module is protected by the Java 2 security runtime permissions for:

  • com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.initialize

  • com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.login

The identity assertion login module looks for the trust information in the shared state property, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state, which contains the trust status and the identity to login and should include:

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
(which when true indicates trusted and false when not trusted)

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal
(which contains the principal of the identity to login, if using a principal)

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
(which contains a array of a certificate chain that contains the identity to login,
if using a certificate)

A WSLoginFailedException is returned if the state, trust, or identity information is missing. The login module then performs a login of the identity, and the subject will contain the new identity

 

Procedure

  1. Delegate trust validation to a user implemented plug point. Trust validation must be accomplished in a custom login module. This custom login module should perform any trust validation required, then set the trust and identity information in the shared state to be passed on to the identity assertion login module. A map is required in the shared state key, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state. If the state is missing then a WSLoginFailedException is thrown by the IdentityAssertionLoginModule. This map must include:

    • A trust key called com.ibm.wsspi.secuirty.common.auth.module.IdentityAssertionLoginModule.trust. If the key is set to true, then trust is established. If the key is set to false, then no trust is established. If the trust key is not set to true, then the IdentityAssertionLoginModule will throw a WSLoginFailedException.

    • • An identity key is set: A java.security.Principal can be set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal key.

    • Or a java.security.cert.X509Certificate[] can be set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certficates key

    If both a principal and certificate are supplied, then the principal is used and a warning is issued.

  2. Create a new JAAS configuration for application logins The JAAS configuration will contain the user implemented trust validation custom login module and the IdentityAssertionLoginModule. Then to configure an application login configuration, perform the following on the administration console:

    1. Expand Security > Secure administration, applications, and infrastructure

    2. Expand Java authentication and authorization services > Application logins

    3. Select New.

    4. Give the JAAS configuration an alias.

    5. Click Apply.

    6. Select JAAS Login Modules

    7. Select New.

    8. Enter the Module class name of the user implemented trust validation custom login module.

    9. Click Apply.

    10. Enter the Module class name of com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule

    11. Make sure the Module class name classes are in the correct order. The user implemented trust validation login module should be first and the IdentityAssertionLoginModule should be the second class in the list.

    12. Click Save.

    This JAAS configuration is then used by the application to perform an Identity Assertion.

  3. Perform the programmable identity assertion. A program can now use the JAAS login configuration to perform a programmatic identity assertion. The application program can create a login context for the JAAS configuration created in step 2, then login to that login context with the identity they would assert to. If the login is successful then that identity can be set in the current running process. Here is a example of how such code would operate

    MyCallbackHandler handler = new MyCallbackHandler(new MyPrincipal(“Joe”));
    LoginContext lc = new LoginContext(“MyAppLoginConfig”, handler);
    lc.login();  //assume successful
    Subject s = lc.getSubject();
    WSSubject.setRunAsSubject(s);
    // From here on , the runas identity is “Joe”
    

 

Results

Using the JAAS login framework and two user implemented login modules, you can create a JAAS login configuration that can be used to perform login to an identity assertion.



Related concepts
Identity assertions with trust validation Related tasks
Enabling identity assertion with trust validation Customizing application login with Java Authentication and Authorization Service Related reference
Custom login module development for a system login configuration Customization of a server-side Java Authentication and Authorization Service authentication and login configuration