Example: Custom login module for inbound mapping

This sample shows a custom login module that creates a java.util.Hashtable hashtable that is based on the specified NameCallback callback. The java.util.Hashtable hashtable is added to the sharedState java.util.Map map so that the WAS login modules can locate the information in the Hashtable.

public customLoginModule() 
 public void initialize(Subject subject, CallbackHandler callbackHandler, 
   Map sharedState, Map options) 
// (

See on initialization, see // Develop custom login modules for a system login configuration for JAAS.) _sharedState = sharedState; } public boolean login() throws LoginException { // (

See on what to do during login, see // Develop custom login modules for a system login configuration for JAAS.) // Handles the WSTokenHolderCallback to see if this is an initial or // propagation login. javax.security.auth.callback.Callback callbacks[] = new javax.security.auth.callback.Callback[3]; callbacks[0] = new javax.security.auth.callback.NameCallback(""); callbacks[1] = new javax.security.auth.callback.PasswordCallback( "Password: ", false); callbacks[2] = new com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl(""); callbacks[3] = new com.ibm.wsspi.security.auth.callback.WSTokenHolderCallback(""); try { callbackHandler.handle(callbacks); } catch (Exception e) { // Handles the exception } // Determines which callbacks contain information boolean identitySwitched = false; String uid = ((NameCallback) callbacks[0]).getName(); char password[] = ((PasswordCallback) callbacks[1]).getPassword(); byte[] credToken = ((WSCredTokenCallbackImpl) callbacks[2]).getCredToken(); java.util.List authzTokenList = ((WSTokenHolderCallback) callbacks[3]). getTokenHolderList(); if (credToken != null) { try { String uniqueID = WSSecurityPropagationHelper.validateLTPAToken(credToken); String realm = WSSecurityPropagationHelper.getRealmFromUniqueID (uniqueID); // Set the string to the UID so we can use the information to either // map or login. uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueid); } catch (Exception e) { // handle exception } } else if (uid == null) { // The authentication data is not valid. You must have either UID // or CredToken throw new WSLoginFailedException("invalid authentication data."); } else if (uid != null && password != null) { // This is a typical authentication. We can choose to map this ID to // another ID or we can skip it and allow WAS // to log in for you. When passwords are presented, be very careful not // to validate the password because this is the initial authentication. return true; } // We can map this uid to something else and set the identitySwitched // boolean. If the identity is changed, clear the following propagated // attributes so they are not used incorrectly. uid = myCustomMappingRoutine (uid); // Clear the propagated attributes because they no longer apply to the new identity if (identitySwitched) { ((WSTokenHolderCallback) callbacks[3]).setTokenHolderList(null); } boolean requiresLogin = ((com.ibm.wsspi.security.auth.callback. WSTokenHolderCallback) callbacks[2]).getRequiresLogin(); if (requiresLogin || identitySwitched) { // Retrieves the default InitialContext for this server. javax.naming.InitialContext ctx = new javax.naming.InitialContext(); // Retrieves the local UserRegistry object. com.ibm.websphere.security.UserRegistry reg = (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry"); // Retrieves the registry uniqueID based on the uid specified // in the NameCallback. String uniqueid = reg.getUniqueUserId(uid); uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueid); // Retrieves the display name from the user registry based on the uniqueID. String securityName = reg.getUserSecurityName(uid); // Retrieves the groups associated with this uniqueID. java.util.List groupList = reg.getUniqueGroupIds(uid); // Creates the java.util.Hashtable with the information that you gathered // from the UserRegistry. java.util.Hashtable hashtable = new java.util.Hashtable(); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_UNIQUEID, uniqueid); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_SECURITYNAME, securityName); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_GROUPS, groupList); // Adds a cache key used as part of the lookup mechanism for // the created Subject. The cache key can be an object, but has // an implemented toString method. Make sure the cacheKey contains enough // information to scope it to the user and any additional attributes we are // using. If we do not specify this property, the Subject is scoped to the // WSCREDENTIAL_UNIQUEID returned, by default. hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_CACHE_KEY, "myCustomAttribute" + uniqueid); // Adds the hashtable to the shared state of the Subject. _sharedState.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_PROPERTIES_KEY, hashtable); } else if (requiresLogin == false) { //

See on this section, see // Security attribute propagation. // If we added a custom Token implementation, we can search through the // token holder list for it to deserialize. //

Any Java objects are automatically deserialized by // wsMapDefaultInboundLoginModule for (int i=0; i<authzTokenList.size(); i++) { TokenHolder tokenHolder = (TokenHolder) authzTokenList.get(i); if (tokenHolder.getName().equals("com.acme.MyCustomTokenImpl")) { byte[] myTokenBytes = tokenHolder.getBytes(); // Passes these bytes into the constructor of the implementation // class for deserialization. com.acme.MyCustomTokenImpl myTokenImpl = new com.acme.MyCustomTokenImpl(myTokenBytes); } } } } public boolean commit() throws LoginException { // (

See on what to do during a commit, see // Develop custom login modules for a system login configuration for JAAS.) } // Defines the login module variables com.ibm.wsspi.security.token.AuthorizationToken customAuthzToken = null; com.ibm.wsspi.security.token.AuthenticationToken defaultAuthToken = null; java.util.Map _sharedState = null; }


Related concepts

Security attribute propagation


Related tasks

Develop custom login modules for a system login configuration for JAAS
Set inbound identity mapping