Programmatic login

 

+

Search Tips   |   Advanced Search

 

Programmatic login is a type of form login that supports application presentation site-specific login forms for the purpose of authentication.

When enterprise bean client applications require the user to provide identifying information, the writer of the application must collect that information and authenticate the user. The work of the programmer can be broadly classified in terms of where the actual user authentication is performed:

Users of Web applications can receive prompts for authentication data in many ways. The <login-config> element in the Web application deployment descriptor file defines the mechanism that is used to collect this information. Programmers who want to customize login procedures, rather than relying on general purpose devices like a 401 dialog window in a browser, can use a form-based login to provide an application-specific HTML form for collecting login information.

No authentication occurs unless administrative security is enabled. To use form-based login for Web applications, specify FORM in the auth-method tag of the <login-config> element in the deployment descriptor of each Web application.

Applications can present site-specific login forms by using the WAS form-login type. The J2EE specification defines form login as one of the authentication methods for Web applications. WAS provides a form-logout mechanism.

 

Java Authentication and Authorization Service programmatic login

Java Authentication and Authorization Service (JAAS) is a new feature in WAS. It is also mandated by the J2EE 1.4 Specification. JAAS is a collection of strategic authentication API that replace the CORBA programmatic login APIs.

Here is a JAAS login sample

WAS provides some extensions to JAAS: Before you begin developing with programmatic login APIs, consider the following points:

 

Finding the root cause login exception from a JAAS login

If you get a LoginException exception after issuing the LoginContext.login API, you can find the root cause exception from the configured user registry. In the login modules, the registry exceptions are wrapped by a com.ibm.websphere.security.auth.WSLoginFailedException class. This exception has a getCause method with which you can pull out the exception that was wrapped after issuing the previous command.

You are not always guaranteed to get a WSLoginFailedException exception, but most of the exceptions that are generated from the user registry display here. The following example illustrates a LoginContext.login API with the associated catch block. Cast the WSLoginFailedException exception to com.ibm.websphere.security.auth.WSLoginFailedException class if you want to issue the getCause API. The following determineCause example can be used for processing CustomUserRegistry exception types.

try 
    {
         lc.login(); 
    } 
    catch (LoginException le)
    {
  // drill down through the exceptions as they might cascade through the runtime
  Throwable root_exception = determineCause(le);
  
  // now you can use "root_exception" to compare to a particular exception type
  // for example, if you have implemented a CustomUserRegistry type, you would 
  //  know what to look for here.
    }


/* Method used to drill down into the WSLoginFailedException to find the 
"root cause" exception */

    public Throwable determineCause(Throwable e) 
      {
        Throwable root_exception = e, temp_exception = null;

        // keep looping until there are no more embedded WSLoginFailedException or 
        // WSSecurityException exceptions 
         while (true) 
        {
            if (e instanceof com.ibm.websphere.security.auth.WSLoginFailedException)
            {
              temp_exception = ((com.ibm.websphere.security.auth.WSLoginFailedException)
              e).getCause();
            }
            else if (e instanceof com.ibm.websphere.security.WSSecurityException)
            {
              temp_exception = ((com.ibm.websphere.security.WSSecurityException)
              e).getCause();
            }
            else if (e instanceof javax.naming.NamingException)
                // check for Ldap embedded exception
                {
                    temp_exception = ((javax.naming.NamingException)e).getRootCause();
                }
            else if (e instanceof your_custom_exception_here)
            {
                // your custom processing here, if necessary
            }
            else
            {
                // this exception is not one of the types we are looking for,
                // lets return now, this is the root from the WebSphere 
                //  Application Server perspective
                return root_exception;
            }
            if (temp_exception != null)
            {
                // we have an exception; go back and see if this has another
                // one embedded within it.
                root_exception = temp_exception;
                e = temp_exception;
                continue;
            }
            else
            {
                // we finally have the root exception from this call path, this
                // has to occur at some point
                return root_exception;
            }
        }
    }

 

Finding the root cause login exception from a Servlet filter

You can also receive the root cause exception from a servlet filter when addressing post-form login processing. This exception is useful because it shows the user what happened. You can issue the following API to obtain the root cause exception:

Throwable t = com.ibm.websphere.security.auth.WSSubject.getRootLoginException();   if (t != null)    
         t = determineCause(t);

When you have the exception, you can run it through the previous determineCause example to get the native registry root cause.

 

Enabling root cause login exception propagation to pure Java clients

Currently, the root cause does not get propagated to a pure client for security reasons. However, you might want to propagate the root cause to a pure client in a trusted environment. To enable root cause login exception propagation to a pure client, click Security > Secure administration, applications, and infrastructure > Custom Properties on the WAS Administrative Console and set the following property:

com.ibm.websphere.security.registry.propagateExceptionsToClient=true

 

Non-prompt programmatic login

WebSphere Application Server provides a non-prompt implementation of the javax.security.auth.callback.CallbackHandler interface, which is called com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl.

Use this interface, an application can push authentication data to the WebSphere LoginModule instance to perform authentication. This capability is useful for server-side application code to authenticate an identity and to use that identity to invoke downstream J2EE resources.

javax.security.auth.login.LoginContext lc = null;
 try { lc = new javax.security.auth.login.LoginContext("WSLogin", new com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl("user", 
      "securityrealm", "securedpassword"));

// create a LoginContext and specify a CallbackHandler implementation
// CallbackHandler implementation determine how authentication data is collected
// in this case, the authentication data is "push" to the authentication mechanism //   implemented by the LoginModule.
} catch (javax.security.auth.login.LoginException e) {
System.err.println("ERROR: failed to instantiate a LoginContext and the exception: " 
+ e.getMessage()); e.printStackTrace();

// maybe javax.security.auth.AuthPermission "createLoginContext" is not granted
//   to the application, or the JAAS login configuration is not defined.
}
 if (lc != null) try { lc.login();  // perform login javax.security.auth.Subject s = lc.getSubject();
// get the authenticated subject

// Invoke a J2EE resource using the authenticated subject com.ibm.websphere.security.auth.WSSubject.doAs(s, new java.security.PrivilegedAction() { public Object run() { try { bankAccount.deposit(100.00);  // where bankAccount is a protected EJB
} catch (Exception e) {
System.out.println("ERROR: error while accessing EJB resource, exception: " 
+ e.getMessage()); e.printStackTrace();
} return null;
}
}
);
} catch (javax.security.auth.login.LoginException e) {
System.err.println("ERROR: login failed with exception: " + e.getMessage()); e.printStackTrace();

// login failed, might want to provide relogin logic
}

You can use the com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl callback handler with a pure Java client, a client application container, enterprise bean, JavaServer Pages files, servlet, or other Java 2 Platform, Enterprise Edition (J2EE) resources. See Example: Programmatic logins for more information about Object Request Broker (ORB) security initialization requirements in a pure Java client.

The WSCallbackHandlerImpl callback handler is different depending on whether you use WAS security or Web services security. It is located in the sas.jar file for security, and in the was-wssecurity.jar file for Web services security.

 

User interface prompt programmatic login

WebSphere Application Server also provides a user interface implementation of the javax.security.auth.callback.CallbackHandler implementation to collect authentication data from a user through user interface login prompts. The com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl callback handler presents a user interface login panel to prompt users for authentication data.

[AIX HP-UX Solaris]

This behavior requires an X11 server to be called out by the DISPLAY environment.

javax.security.auth.login.LoginContext lc = null;
 try { lc = new javax.security.auth.login.LoginContext("WSLogin", new com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl());

// create a LoginContext and specify a CallbackHandler implementation
// CallbackHandler implementation determine how authentication data is collected
// in this case, the authentication date is collected by GUI login prompt
//   and pass to the authentication mechanism implemented by the LoginModule.
} catch (javax.security.auth.login.LoginException e) {
System.err.println("ERROR: failed to instantiate a LoginContext and the exception: " 
+ e.getMessage()); e.printStackTrace();

// maybe javax.security.auth.AuthPermission "createLoginContext" is not granted
//   to the application, or the JAAS login configuration is not defined.
}
 if (lc != null) try { lc.login();  // perform login javax.security.auth.Subject s = lc.getSubject();
// get the authenticated subject

// Invoke a J2EE resources using the authenticated subject com.ibm.websphere.security.auth.WSSubject.doAs(s, new java.security.PrivilegedAction() { public Object run() { try { bankAccount.deposit(100.00);  // where bankAccount is a protected enterprise bean
} catch (Exception e) {
System.out.println("ERROR: error while accessing EJB resource, exception: " 
+ e.getMessage()); e.printStackTrace();
} return null;
}
}
);
} catch (javax.security.auth.login.LoginException e) {
System.err.println("ERROR: login failed with exception: " + e.getMessage()); e.printStackTrace();

// login failed, might want to provide relogin logic
}

Do not use the com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl callback handler for server-side resources like enterprise bean, servlet, JSP files, and so on. The user interface login prompt blocks the server for user input. This behavior is not good for a server process.

 

Stdin prompt programmatic login

WebSphere Application Server also provides a stdin implementation of the javax.security.auth.callback.CallbackHandler interface. The callback handler, com.ibm.websphere.security.auth.callback.WSStdinCallbackHandlerImpl, prompts and collects authentication data from a user through the stdin prompt.

javax.security.auth.login.LoginContext lc = null;
 try { lc = new javax.security.auth.login.LoginContext("WSLogin", new com.ibm.websphere.security.auth.callback.WSStdinCallbackHandlerImpl());

// create a LoginContext and specify a CallbackHandler implementation
// CallbackHandler implementation determines how authentication data is collected
// in this case, the authentication date is collected by stdin prompt
// and passed to the authentication mechanism implemented by the LoginModule.
} catch (javax.security.auth.login.LoginException e) {
System.err.println("ERROR: failed to instantiate a LoginContext and the exception: 
          " + e.getMessage()); e.printStackTrace();

// maybe javax.security.auth.AuthPermission "createLoginContext" is not granted
//   to the application, or the JAAS login configuration is not defined.
}
 if (lc != null) try { lc.login();  // perform login javax.security.auth.Subject s = lc.getSubject();
// get the authenticated subject

// Invoke a J2EE resource using the authenticated subject com.ibm.websphere.security.auth.WSSubject.doAs(s, new java.security.PrivilegedAction() { public Object run() { try { bankAccount.deposit(100.00);  
// where bankAccount is a protected enterprise bean
} catch (Exception e) {
System.out.println("ERROR: error while accessing EJB resource, exception: " 
       + e.getMessage()); e.printStackTrace();
} return null;
}
}
);
} catch (javax.security.auth.login.LoginException e) {
System.err.println("ERROR: login failed with exception: " + e.getMessage()); e.printStackTrace();

// login failed, might want to provide relogin logic
}

Do not use the com.ibm.websphere.security.auth.callback.WSStdinCallbackHandlerImpl callback handler for server-side resources like enterprise beans, servlets, JSP files, and so on. The input from the stdin prompt is not sent to the server environment. Most servers run in the background and do not have a console. However, if the server does have a console, the stdin prompt blocks the server for user input. This behavior is not good for a server process.


 

Related concepts


Authorization technology

 

Related tasks


Developing programmatic logins with the Java Authentication and Authorization Service

 

Related Reference


Custom login module development for a system login configuration
Customization of a server-side Java Authentication and Authorization Service authentication and login configuration
Example: Getting the caller subject from the thread
Example: Getting the RunAs subject from the thread
Example: Overriding the RunAs subject on the thread
Example: User revocation from a cache
Example: Programmatic logins