Credential builder

In this topic ... Quick Tips Specifying Inputs Credential Builder LJO Configuration Notes A Sample Storage Handler Related Topics... WPS Credential Builder

Use this Builder to access credentials (user names, passwords) stored in a configurable credential storage mechanism.

The configurable Credential Storage mechanism is useful for portlets that require credentials different than the credentials used to log into the application server or portal itself. This might occur when a portlet needs to submit unique credentials to a back-end system such as a database or SAP server.

This Builder adds a Linked Java Object and related instantiate method to the model. The LJO class will be an implementation of the com.bowstreet.methods.adapters.credentials.CredentialStorage interface.

 

Quick Tips

• Read this IBM article to learn how to implement portlet single sign-on using the WebSphere Credential vault which is a similar, but WebSphere-specific, specific mechanism.

• Set the following property in the override.properties file to configure a credential storage handler:

 

bowstreet.security.handlers.credentialStorage=com.bowstreet.methods.adapters.credentials.MyCredentialStorageHandler

Your credential storage handler should extend com.bowstreet.methods.adapters.credentials.CredentialStorageBase which implements com.bowstreet.methods.adapters.credentials.CredentialStorage interface.

The newInstance method of your storageHandler should typically just return a new instance of your class via something like new MyCredentialStorageHandler(); unless you have additional configuration for your handler which might determine whether to return an instance of a subclass based on that configuration data.

 

Specifying Inputs

The Credential Builder takes the inputs described in the table below. For help on inputs common to many or all Builders such as those in the Properties and HTML Attributes input groups, see "Using the Builder Call Editor."

Input Name	Description
Name	Enter a name for this Builder call. The Designer displays this name in the Builder Call List.
Resource Name	Name of the resource for accessing the credential storage mechanism. The example might represent the resource name of a shared account for accessing a customer Database Example: CustomerDB

For more information about using the Credential Vault, a similar but WebSphere-specific mechanism, see the article,  Portlet Security on the IBM web site.

Each stored credential is given a resource name when it is stored. When setting and retrieving credential information (userID & Password), you access the credential by specifying the resource name Builder input. The resource name is used to lookup the credential information from the Credential Storage mechanism.

 

Credential Builder LJO

This Builder adds a Linked Java Object and its instantiate method to your model. The LJO class will be an implementation of the CredentialStorage handler interface. The LJO methods can be used in your model to set or retrieve user credentials and also to check if credentials exist.

The following methods are available for CredentialStorage handlers:

• String getUserID(WebAppAccess webAppAccess) - Returns user ID for the current resource

• String getPassword(WebAppAccess webAppAccess) - Returns user password for the current resource

• boolean doesCredentialExist(WebAppAccess webAppAccess) - Checks if there are credentials for the current user

• void setUserPasswordCredential(WebAppAccess webAppAccess, String userID, String password) - Sets user password credentials for the current resource slot.

 

Configuration Notes

The CredentialStorage handler used to store/retrieve credentials is configurable. If no configuration setting exists, a simple in-memory test implementation will be used ( com.bowstreet.methods.adapters.credentials.CredentialStorageBase ) which is the base class to be used by all custom storage handlers. To configure a storage handler, set (eg, in WEB-INF/config/override.properties ) the following property to specify your custom handler which should extend CredentialStorageBase.

bowstreet.security.handlers.credentialStorage=com.mycompany.credentials.MyCredentialStorageHandler

By default the following configuration property is set in WEB-INF/config/bowstreet.properties:

bowstreet.security.handlers.credentialStorage=com.bowstreet.methods.adapters.credentials.CredentialVaultBase

The CredentialVaultBase credential storage handler is the same as that used by the WPS Credential Builder. The newInstance() method of this particular handler determines whether it is running on the portal, and if so will actually return an instance of WPSCredentialVault handler which extends CredentialVaultBase and interfacts with the WPS Credential Vault mechanism provided by WP. If running standalone (outside WP), this handler's newInstance() method will just return a new instance of CredentialVaultBase (suitable for standalone testing only) via default constructor. This default storage handler may be overridden as described above by setting the property in WEB-INF/config/override.properties

 

A Sample Storage Handler

The following is a sample skeletal implementation of a custom storage handler. You will need to implement the various methods against your custom or third party SSO backend, and we can use this sample code as a basis for that effort.

/* * Copyright (c) 2005 Bowstreet Inc. All Rights Reserved. */ package com.mycompany.credentials; import com.bowstreet.methods.adapters.credentials.*; import com.bowstreet.webapp.*; /** * Retrieve/set user password credentials for a specified resource from a credential storage mechanism. */ public class MyCredentialStorage extends CredentialStorageBase implements CredentialStorage {    /**     * Gets the user ID for the current resource.     *     * @param webAppAccess The current WebAppAccess for this model.     * @return The user ID from the UserPasswordPassiveCredential.     */    public String getUserID(WebAppAccess webAppAccess)    {        // You would likely replace this code with code that queried        // your backend system to get credentials for this user/resource        return super.getUserID(webAppAccess);    }    /**     * Gets the user password for the current resource.     *     * @param webAppAccess The current WebAppAccess for this model.     * @return The user password from the UserPasswordPassiveCredential.     */    public String getPassword(WebAppAccess webAppAccess)    {        // You would likely replace this code with code that queried        // your backend system to get credentials for this user/resource        return super.getPassword(webAppAccess);    }    /**     * Gets the current resource name for locating the credential vault slot.     *     * @return The resource name to locate the vault slot.     */    public String getResourceName()    {        // You might replace this code, but super class has a class member to hold        // the current resource name so you may not need to override this.        return super.getResourceName();    }    /**     * Sets the current resource name for locating the credential vault slot.     *     * @param resourceName The resource name to locate the vault slot.     */    public void setResourceName(String resourceName)    {        // You might replace this code, but super class has a class member to hold        // the current resource name so you may not need to override this.        super.setResourceName(resourceName);    }    /**     * Sets the user password credentials for the current slot ID.     *     * @param webAppAccess The current WebAppAccess for this model.     * @param userID The user id to be stored in the Credential Vault.     * @param password The password to be stored in the Credential Vault.     */    public void setUserPasswordCredential(WebAppAccess webAppAccess, String userID, String password)    {        // You would likely replace this code with logic that        // stored these credentials (for this user/resource)        // in the SSO backend.        //        // We can get the HttpServlet/Portlet request (and thus the user's        // appserver/portalserver userid) from the webAppAccess argument        // via webAppAccess.getHttpServletRequest()        super.setUserPasswordCredential(webAppAccess, userID, password);    }    /**     * Checks if there is a credential for the current resource.     *     * @param webAppAccess The current WebAppAccess for this model.     * @return true if there is a credential, else false.     */    public boolean doesCredentialExist(WebAppAccess webAppAccess)    {        // You would likely replace this code with code that queried        // your backend system to check for credentials for this user/resource        //        // We can get the HttpServlet/Portlet request (and thus the user's        // appserver/portalserver userid) from the webAppAccess argument        // via webAppAccess.getHttpServletRequest()        return super.doesCredentialExist(webAppAccess);    }    /**     * Return a new instance of this class, giving subclasses an opportunity     * to pass back yet further subclasses based on configuration or environment.     */    public Object newInstance()    {        // Replace this with your classname        // and optionally anything else we need to do first for initialization        // and/or your own configuration based logic.        return new MyCredentialStorage();    } }