+

Search Tips   |   Advanced Search

 

Develop Web services applications that retrieve tokens from the JAAS Subject in a server application

 

With a server application, the application acts as the request consumer, and the response generator is deployed and runs in the Java 2 Platform, Enterprise Edition (J2EE) container. The consumer component for Web services security stores the security tokens that it receives in the Java Authentication and Authorization Service (JAAS) Subject of the current thread. You can retrieve the security tokens from the JAAS Subject that is maintained as a local thread in the container.

 

Overview

In WAS V6.1, the security handlers are responsible for propagating security tokens. These security tokens are embedded in the SOAP security header and passed to downstream servers. The security tokens are encapsulated in the implementation classes for the com.ibm.wsspi.wssecurity.auth.token.Token interface. You can retrieve the security token data from either a server application or a client application.

Complete the following steps to retrieve the security token data from a server application:

 

Procedure

  1. Obtain the JAAS Subject of the current thread using the WSSubject utility class. If you enable Java 2 security on the Secure administration, applications, and infrastructure panel in the console, access to the JAAS Subject is denied if the application code is not granted the javax.security.auth.AuthPermission("wssecurity.getCallerAsSubject") permission. The following code sample shows how to obtain the JAAS subject:

    javax.security.auth.Subject subj; try { subj = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();
    } catch (com.ibm.websphere.security.WSSecurityException e) {
      …
    }
    
    

  2. Obtain a set of private credentials from the Subject. For more information, see the API com.ibm.websphere.security.auth.WSSubject class through the information center . To access this information within the information center, click Reference > Developer > API Documentation > Application Programming Interfaces. In the Application Programming Interfaces article, click com.ibm.websphere.security.auth > WSSubject.

    When Java 2 security is enabled, you might need to use the AccessController class to avoid a security violation that is caused by operating the security objects in the J2EE container. The following code sample shows how to set the AccessController class and obtain the private credentials:

    Set s = (Set) AccessController.doPrivileged( new PrivilegedAction() { public Object run() { return subj.getPrivateCredentials();
    }   });
    
    

  3. Search the targeting token class in the private credentials. You can search the targeting token class by using the java.util.Iterator interface. The following example shows how to retrieve a username token with a certain token ID value in the security header. You can also use other method calls to retrieve security tokens. For more information, see the application programming interface (API) documents for the com.ibm.wsspi.wssecurity.auth.token.Token interface or custom token classes.

    com.ibm.wsspi.wssecurity.auth.token.UsernameToken unt;
    Iterator it = s.iterator(); while (it.hasNext()) {
      Object obj = it.next();
      if (obj != null && obj instanceOf com.ibm.wsspi.wssecurity.auth.token.UsernameToken) {
        unt =(com.ibm.wsspi.wssecurity.auth.token.UsernameToken) obj; if (unt.getId().equals(“…”)) break; else continue;
      }
    }
    
    

 

Results

After completing these steps, you have retrieved the security tokens from the JAAS Subject in a server application


 

Related concepts


Security token

 

Related tasks


Developing Web services clients that retrieve tokens from the JAAS Subject in an application
Protecting system resources and APIs (Java 2 security)
Configure Java 2 security policy files
Securing Web services applications using JAX-RPC at the message level