Customizing an application login to perform an identity assertion using JAAS


Use the Java Authentication and Authorization Service (JAAS) login framework, we can create a JAAS login configuration that can be used to perform login to an identity assertion.

We can allow an application or system provider to perform an identity assertion with trust validation. To do this, you use the JAAS login framework, where trust validation is accomplished in one login module and credential creation is accomplished in another module. The two custom login modules allow us to create a JAAS login configuration that can be used to perform a login to an identity assertion.Two custom login modules are required:

User implemented trust association login module (trust validation)

The user implemented trust association login module performs whatever trust verification the user requires. When trust is verified, the trust verification status and the login identity should be put into a map in the share state of the login module so that the credential creation login module can use the information. This map should be stored in the property:

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state
      (which consists of)

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
      (which is set to true if trusted and false if not trusted)

com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal
       (which contains the principal of the identity)

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
       (which contains the certificate of the identity)

Identity assertion login module (credential creation)

The com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule performs the credential creation. This module relies on the trust state information being in the login context’s shared state. This login module is protected by the Java 2 security runtime permissions for:

  • com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.initialize

  • com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.login

The identity assertion login module looks for the trust information in the shared state property, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state, which contains the trust status and the identity to login and should include:

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
       (which when true indicates trusted and false when not trusted)

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal
       (which contains the principal of the identity to login, if using a principal)

com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
       (which contains a array of a certificate chain that contains the identity to login,
        if using a certificate)

A WSLoginFailedException is returned if the state, trust, or identity information is missing. The login module then performs a login of the identity, and the subject will contain the new identity

 

  1. Delegate trust validation to a user implemented plug point.

    Trust validation must be accomplished in a custom login module. This custom login module should perform any trust validation required, then set the trust and identity information in the shared state to be passed on to the identity assertion login module. A map is required in the shared state key, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state. If the state is missing then a WSLoginFailedException is thrown by the IdentityAssertionLoginModule. This map must include:

    • A trust key called com.ibm.wsspi.secuirty.common.auth.module.IdentityAssertionLoginModule.trust. If the key is set to true, then trust is established. If the key is set to false, then no trust is established. If the trust key is not set to true, then the IdentityAssertionLoginModule will throw a WSLoginFailedException.

    • • An identity key is set: A java.security.Principal can be set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal key.

    • Or a java.security.cert.X509Certificate[] can be set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certficates key

    If both a principal and certificate are supplied, then the principal is used and a warning is issued.

  2. Create a new JAAS configuration for application logins

    The JAAS configuration will contain the user implemented trust validation custom login module and the IdentityAssertionLoginModule. Then to configure an application login configuration, perform the following on the administration console:

    1. Expand Security > Global security.

    2. Expand Java authentication and authorization services > Application logins

    3. Select New.

    4. Give the JAAS configuration an alias.

    5. Click Apply.

    6. Select JAAS Login Modules

    7. Select New.

    8. Enter the Module class name of the user implemented trust validation custom login module.

    9. Click Apply.

    10. Enter the Module class name of com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule

    11. Make sure the Module class name classes are in the correct order. The user implemented trust validation login module should be first and the IdentityAssertionLoginModule should be the second class in the list.

    12. Click Save.

    This JAAS configuration is then used by the application to perform an Identity Assertion.

  3. Perform the programmable identity assertion. A program can now use the JAAS login configuration to perform a programmatic identity assertion. The application program can create a login context for the JAAS configuration created in step 2, then login to that login context with the identity they would assert to. If the login is successful then that identity can be set in the current running process. Here is a example of how such code would operate:

    MyCallbackHandler handler = new MyCallbackHandler(new MyPrincipal(“Joe”)); LoginContext lc = new LoginContext(“MyAppLoginConfig”, handler); lc.login();  
    //assume successful Subject s = lc.getSubject(); WSSubject.setRunAsSubject(s);
    
    // From here on , the runas identity is “Joe”
    

 

Results

Use the JAAS login framework and two user implemented login modules, we can create a JAAS login configuration that can be used to perform login to an identity assertion.

 

Related concepts


Identity assertions with trust validation

 

Related tasks


Enable identity assertion with trust validation using JAAS
Customizing application login with Java Authentication and Authorization Service

 

Related


Develop custom login modules for a system login configuration for JAAS
Customizing a server-side Java Authentication and Authorization Service authentication and login configuration