Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authorizing access to resources
SCA RequestContext.getSecuritySubject() API
Overview
To have RequestContext.getSecuritySubject() return a JAAS subject representing an authenticated SCA service user...
- Enable administrative security
- Enable application security
- The SCA service has either an authentication intent or a PolicySet that requires authentication
- The SCA deployment process associates a PolicySet to the SCA service.
Use RequestContext.getSecuritySubject()
- Add an authentication intent or specify a PolicySet in the binding element of an SCA service composite file to enforce SCA request authentication, as shown in the following example. Use the "authentication.transport" intent.
<composite xmlns="http://www.osoa.org/xmlns/sca/1.0" xmlns:dbsdo="http://tuscany.apache.org/xmlns/sca/databinding/sdo/1.0" xmlns:wsdli="http://www.w3.org/2004/08/wsdl-instance" xmlns:qos="http://www.ibm.com/xmlns/prod/websphere/sca/1.0/2007/06" name="EchoServiceWithIdentityWSComposite"> <component name="EchoServiceWithIdentityWSComponent"> <implementation.java class="test.ws.soa.sca.qos.policy.echoRelayServiceTest.echoService.EchoServiceWithIdentityComponentImpl"/> <service name="EchoService"> <binding.ws uri="EchoServiceWithIdentity" wsdlElement="http://echo#wsdl.port(EchoServiceWithIdentity/EchoServiceWithIdentitySoapPort)" requires="authentication.transport" /> </service> </component> </composite>
- Specify the "WSHTTPS default" PolicySet in the SCA client composite file. A user name and password are configured for use in outbound requests of the "HTTP Transport" default PolicySet binding.
The following example utilizes the RequestContext.getSecuritySubject API:
import org.osoa.sca.annotations.Context; import org.osoa.sca.RequestContext; import javax.security.auth.Subject; import java.security.Principal; import java.util.Iterator; import com.ibm.websphere.security.cred.WSCredential; @Service(EchoService.class) public class EchoServiceWithIdentityComponentImpl implements EchoService { @Context protected RequestContext requestContext; public String echo_String(String input) { try { Subject subject = null; String securityName = null; if (requestContext != null) { subject = requestContext.getSecuritySubject(); } if (subject != null) { java.util.Set principalSet = subject.getPrincipals(); if (principalSet != null && principalSet.size() > 0) { Iterator principalIterator = principalSet.iterator(); if (principalIterator.hasNext()) { Principal principal = (java.security.Principal) principalIterator.next(); securityName = principal.getName(); } } } . . .
- The principal identity consists of a realm name followed by the identity of the requester as shown in the example below. WAS is configured to use an LDAP server for authentication. The realm name is the LDAP server host name and the port number:
security name = ldap1.austin.ibm.com:389/user2You can obtain various security attributes of the request from the WSCredential object in the subject as shown in the following example:
if (subject != null) { java.util.Set credSet = subject.getPublicCredentials(); if (credSet != null && credSet.size() > 0) { Iterator credIterator = credSet.iterator(); while (credIterator.hasNext()) { Object o = credIterator.next(); WSCredential cred = null; if (o instanceof WSCredential) { cred = (WSCredential) o; } else { if (securityName == null) { securityName = new StringBuffer(); } securityName.append("\n>> Found a public credential: " + o.getClass().getName()); } if (cred != null) { if (securityName == null) { securityName = new StringBuffer(); } securityName.append("\n>> WSCredential security attributes . . ."); securityName.append("\n>> getAccessId = \t\t" + cred.getAccessId()); securityName.append("\n>> getGroupIds = \t\t" + cred.getGroupIds()); securityName.append("\n>> getPrimaryGroupId = \t\t" + cred.getPrimaryGroupId()); securityName.append("\n>> getRealmName = \t\t" + cred.getRealmName()); securityName.append("\n>> getRealmSecurityName = \t\t" + cred.getRealmSecurityName()); securityName.append("\n>> getRealmUniqueSecurityName = \t\t" + cred.getRealmUniqueSecurityName()); securityName.append("\n>> getSecurityName = \t\t" + cred.getSecurityName()); securityName.append("\n>> getUniqueSecurityName = \t\t" + cred.getUniqueSecurityName()); } } } }Sample output is shown below:
>> WSCredential security attributes . . . >> getAccessId = user:ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us >> getGroupIds = [group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US] >> getPrimaryGroupId = group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US >> getRealmName = ldap1.austin.ibm.com:389 >> getRealmSecurityName = ldap1.austin.ibm.com:389/user2 >> getRealmUniqueSecurityName = ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us >> getSecurityName = user2 >> getUniqueSecurityName = cn=user2,o=ibm,c=us