Migrate Common Object Request Broker Architecture programmatic login to Java Authentication and Authorization Service (CORBA and JAAS)
Use this topic as an example of how to perform programmatic login using the CORBA-based programmatic login APIs.
This document outlines the deprecated Common Object Request Broker Architecture (CORBA) programmatic login APIs and the alternatives provided by JAAS. WAS fully supports the Java Authentication and Authorization Service (JAAS) as programmatic login APIs. See Configure programmatic logins for Java Authentication and Authorization Service and Develop programmatic logins with the Java Authentication and Authorization Service for more details on JAAS support.
(zos) Common Object Request Broker Architecture (CORBA) APIs are not supported in the WAS for z/OS environment. If we have an application that you are porting from another WebSphere Application Server product to WebSphere Application Server for z/OS you must be aware that the security APIs that are deprecated in Version 6.0.x. To use these applications on WebSphere Application Server for z/OS Version 8.0, migrate to JAAS.
The following list includes the deprecated CORBA programmatic login APIs.
- (dist)(zos) ${user.install.root}/installedApps/sampleApp.ear/default_app.war/WEB-INF/classes/LoginHelper.java.
- (dist)(zos) ${user.install.root}/installedApps/sampleApp.ear/default_app.war/WEB-INF/classes/ServerSideAuthenticator.java.
- (iseries) profile_root/installedApps/sampleApp.ear/default_app.war/WEB-INF/classes/ServerSideAuthenticator.java.
- org.omg.SecurityLevel2.Credentials. This API is included with the product, but it is not recommended that you use the API.
The APIs provided in WebSphere Application Server are a combination of standard JAAS APIs and a product implementation of standard JAAS interfaces.
(zos) The supported APIs provided in WebSphere Application Server for z/OS are a combination of standard JAAS APIs and a product implementation of standard JAAS interfaces with some minor extension.
The following information is only a summary; refer to the JAAS documentation for your platform located at: http://www.ibm.com/developerworks/java/jdk/security/ .
- Programmatic login APIs:
- javax.security.auth.login.LoginContext
- javax.security.auth.callback.CallbackHandler interface: The WebSphere Application Server product provides the following implementation of the javax.security.auth.callback.CallbackHandler interface:
- com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl
- Provides a non-prompt CallbackHandler handler when the application pushes basic authentication data (user ID, password, and security realm) or token data to product login modules. This API is recommended for server-side login.
- (dist)(iseries) com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl
- Provides a login prompt CallbackHandler handler to gather basic authentication data (user ID, password, and security realm). This API is recommended for client-side login.
If this API is used on the server side, the server is blocked for input.
- com.ibm.websphere.security.auth.callback.WSStdinCallbackHandlerImpl
- Provides a stdin login prompt CallbackHandler handler to gather basic authentication data (user ID, password, and security realm). This API is recommended for client-side login.
If this API is used on the server side, the server is blocked for input.
- javax.security.auth.callback.Callback interface:
- javax.security.auth.callback.NameCallback
- Provided by JAAS to pass the user name to the LoginModules interface.
- javax.security.auth.callback.PasswordCallback
- Provided by JAAS to pass the password to the LoginModules interface.
- com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl
- Provided by the product to perform a token-based login. With this API, an application can pass a token-byte array to the LoginModules interface.
- javax.security.auth.spi.LoginModule interface
WebSphere Application Server provides a LoginModules implementation for client and server-side login. Refer to Configure programmatic logins for Java Authentication and Authorization Service for details.
- javax.security.Subject:
- (dist)(iseries) com.ibm.websphere.security.auth.WSSubject
- An extension provided by the product to invoke remote J2EE resources using the credentials in the javax.security.Subject
- (zos) com.ibm.websphere.security.auth.WSSubject
- An extension provided by the product to invoke remote J2EE resources using the credentials in the javax.security.Subject
An application must invoke the WSSubject.doAs method for J2EE resources access using the subject that is generated by an explicit invocation of a WAS login module.
- com.ibm.websphere.security.cred.WSCredential
- After a successful JAAS login with the WAS LoginModules interfaces, a com.ibm.websphere.security.cred.WSCredential credential is created and stored in the Subject.
- com.ibm.websphere.security.auth.WSPrincipal
- An authenticated principal created and stored in a Subject that is authenticated by the WAS LoginModules interface.
- Use the following as an example of how to perform programmatic login using the CORBA-based programmatic login APIs: The CORBA-based programmatic login APIs are replaced by JAAS login.
The LoginHelper (API) used in the following example is deprecated in WebSphere Application Server v8.5 and will be removed in a future release. IBM recommends that you use the JAAS programmatic login APIs that are shown in the next step.
public class TestClient { ... private void performLogin() { // Get the ID and password of the user. String userid = customGetUserid(); String password = customGetPassword(); // Create a new security context to hold authentication data. LoginHelper loginHelper = new LoginHelper(); try { // Provide the ID and password of the user for authentication. org.omg.SecurityLevel2.Credentials credentials = loginHelper.login(userid, password); // Use the new credentials for all future invocations. loginHelper.setInvocationCredentials(credentials); // Retrieve the name of the user from the credentials // so we can tell the user that login succeeded. String username = loginHelper.getUserName(credentials); System.out.println("Security context set for user: "+username); } catch (org.omg.SecurityLevel2.LoginFailed e) { // Handle the LoginFailed exception. } } ... }
- Use the following example to migrate the CORBA-based programmatic login APIs to the JAAS programmatic login APIs.
The following example assumes that the application code is granted for the required Java 2 security permissions. For more information, see Configure programmatic logins for Java Authentication and Authorization Service, Protecting system resources and APIs (Java 2 security) for developing applications, and the JAAS documentation located at http://www.ibm.com/developerworks/java/jdk/security/.
public class TestClient { ... private void performLogin() { // Create a new JAAS LoginContext. javax.security.auth.login.LoginContext lc = null; try { // Use GUI prompt to gather the BasicAuth data. lc = new javax.security.auth.login.LoginContext("WSLogin", new com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl()); // create a LoginContext and specify a CallbackHandler implementation // CallbackHandler implementation determine how authentication data is collected // in this case, the authentication date is collected by login prompt // and pass to the authentication mechanism implemented by the LoginModule. } catch (javax.security.auth.login.LoginException e) { System.err.println("ERROR: failed to instantiate a LoginContext and the exception: " + e.getMessage()); e.printStackTrace(); // may be javax.security.auth.AuthPermission "createLoginContext" is not granted // to the application, or the JAAS Login Configuration is not defined. } if (lc != null) try { lc.login(); // perform login javax.security.auth.Subject s = lc.getSubject(); // get the authenticated subject // Invoke a J2EE resources using the authenticated subject com.ibm.websphere.security.auth.WSSubject.doAs(s, new java.security.PrivilegedAction() { public Object run() { try { bankAccount.deposit(100.00); // where bankAccount is an protected EJB } catch (Exception e) { System.out.println("ERROR: error while accessing EJB resource, exception: " + e.getMessage()); e.printStackTrace(); } return null; } } ); // Retrieve the name of the principal from the Subject // so we can tell the user that login succeeded, // should only be one WSPrincipal. java.util.Set ps = s.getPrincipals(com.ibm.websphere.security.auth.WSPrincipal.class); java.util.Iterator it = ps.iterator(); while (it.hasNext()) { com.ibm.websphere.security.auth.WSPrincipal p = (com.ibm.websphere.security.auth.WSPrincipal) it.next(); System.out.println("Principal: " + p.getName()); } } catch (javax.security.auth.login.LoginException e) { System.err.println("ERROR: login failed with exception: " + e.getMessage()); e.printStackTrace(); // login failed, might want to provide relogin logic } } ... }
Related tasks
Configure programmatic logins for Java Authentication and Authorization Service Develop programmatic logins with the Java Authentication and Authorization Service Protecting system resources and APIs (Java 2 security) for developing applications