Use the SCA RequestContext.getSecuritySubject() API
The Service Component Architecture (SCA) RequestContext.getSecuritySubject() API returns a Java Authentication and Authorization (JAAS) subject that represents an authenticated user who accesses the protected SCA service.
SCA service developers can use the RequestContext.getSecuritySubject() API to obtain a JAAS Subject that represents the requester.
If one or more of the following preconditions are not met the SCA request is not authenticated, and the RequestContext.getSecuritySubject API returns a null Subject:
- Administrative security must be enabled to initialize the security infrastructure.
- Application security must be enabled to enforce security policy and authentication.
- The SCA service must require an authenticated user. Authentication can be done at the transport layer using the authentication.transport intent (for OSOA composites) or the clientAuthentication.transport intent (for OASIS composites). Authentication can be done at the message layer by attaching a web service policy set that requires authentication.
When using the RequestContext.getSecuritySubject() API, perform the following steps:
- Use the RequestContext.getSecuritySubject API in the file.
The following example utilizes the OSOA RequestContext.getSecuritySubject API:
import org.osoa.sca.annotations.Context; import org.osoa.sca.annotations.Service; import org.osoa.sca.RequestContext; import javax.security.auth.Subject; import java.security.Principal; import java.util.Iterator; import com.ibm.websphere.security.cred.WSCredential; @Service(EchoService.class) public class EchoServiceWithIdentityComponentImpl implements EchoService { @Context protected RequestContext requestContext; public String echo_String(String input) { try { Subject subject = null; String securityName = null; if (requestContext != null) { subject = requestContext.getSecuritySubject(); } if (subject != null) { java.util.Set principalSet = subject.getPrincipals(); if (principalSet != null && principalSet.size() > 0) { Iterator principalIterator = principalSet.iterator(); if (principalIterator.hasNext()) { Principal principal = (java.security.Principal) principalIterator.next(); securityName = principal.getName(); } } } } catch (Exception ex) { // Handle exception } } }The same example applies to using the OASIS RequestContext.getSecuritySubject API with the exception of package name changes:
import org.oasisopen.sca.annotation.Context; import org.oasisopen.sca.annotation.Service; import org.oasisopen.sca.RequestContext;
- We can obtain various security attributes of the request from the WSCredential object in the subject as shown in the following example:
if (subject != null) { java.util.Set credSet = subject.getPublicCredentials(); if (credSet != null && credSet.size() > 0) { Iterator credIterator = credSet.iterator(); while (credIterator.hasNext()) { Object o = credIterator.next(); WSCredential cred = null; if (o instanceof WSCredential) { cred = (WSCredential) o; } else { if (securityName == null) { securityName = new StringBuffer(); } securityName.append("\n>> Found a public credential: " + o.getClass().getName()); } if (cred != null) { if (securityName == null) { securityName = new StringBuffer(); } securityName.append("\n>> WSCredential security attributes . . ."); securityName.append("\n>> getAccessId = \t\t" + cred.getAccessId()); securityName.append("\n>> getGroupIds = \t\t" + cred.getGroupIds()); securityName.append("\n>> getPrimaryGroupId = \t\t" + cred.getPrimaryGroupId()); securityName.append("\n>> getRealmName = \t\t" + cred.getRealmName()); securityName.append("\n>> getRealmSecurityName = \t\t" + cred.getRealmSecurityName()); securityName.append("\n>> getRealmUniqueSecurityName = \t\t" + cred.getRealmUniqueSecurityName()); securityName.append("\n>> getSecurityName = \t\t" + cred.getSecurityName()); securityName.append("\n>> getUniqueSecurityName = \t\t" + cred.getUniqueSecurityName()); } } } }The principal identity consists of a realm name followed by the identity of the requester. For example, assume WebSphere Application Server is configured to use an LDAP server for authentication. The realm name is the LDAP server host name and the port number:
security name = ldap1.austin.ibm.com:389/user2
Sample output is shown here:
>> WSCredential security attributes . . . >> getAccessId = user:ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us >> getGroupIds = [group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US] >> getPrimaryGroupId = group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US >> getRealmName = ldap1.austin.ibm.com:389 >> getRealmSecurityName = ldap1.austin.ibm.com:389/user2 >> getRealmUniqueSecurityName = ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us >> getSecurityName = user2 >> getUniqueSecurityName = cn=user2,o=ibm,c=us
Related tasks
Use SCA authorization and security identity policies