(WAS v8.5.0.1)

Generating a dynamic UsernameToken using a stacked JAAS login module

We can use the GenericSecurityTokenFactory APIs to create fully-populated or simple UsernameToken security tokens for use by the WS-Security runtime. These security tokens can be used for, but are not be limited to, WSSAPIs, and JAAS login modules, or UNTGenerateLoginModule.

The GenericSecurityTokenFactory provides several APIs that we can use to create UsernameTokens that can be emitted with the GenericIssuedTokenGenerateLoginModule.

(V8502) There are two types of UsernameTokens:

Full UsernameToken

A full UsernameToken contains XML and can be emitted with the GenericSecurityTokenFactory login module.

Simple UsernameToken

A simple UsernameToken contains only a user name and password; it does not contain XML. Simple UsernameTokens are used to set a dynamic username and password that the UNTGenerateLoginModule, LTPAGenerateLoginModule, and KRBGenerateLoginModule can use.

When a full UsernameToken is created using a GenericSecurityTokenFactory API, the token is the complete form of a security token that can be emitted by the WS-Security run time. Determine the type of token to create, and then issue commands, similar to the ones specified in one of the following steps, to create your token. After the token is created, the user name and password in the token cannot be modified.

(V8502) When a simple UsernameToken is created using a GenericSecurityTokenFactory API, the token contains only the user name and optionally the password. Because a simple UsernameToken does not contain XML, it cannot be emitted with the GenericIssuedTokenGenerateLoginModule.

1. Create a UsernameToken. We can create one of the following types of UsernameToken:

   • A full UsernameToken with a user name and password

   • A full UsernameToken with a user name and timestamp, but no password

   • (V8502) A simple UsernameToken with a user name and password

   • Create a full UsernameToken with a user name and password.

     import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
     import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
      ...
      GenericSecurityTokenFactory gstFactory = GenericSecurityTokenFactory.getInstance();
     UsernameToken myUnt = gstFactory.getFullUsernameToken("myUsername", "myPassword".toCharArray());

   • Create a full UsernameToken with a user name and timestamp, but no password.

     import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
     import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
      ...
      GenericSecurityTokenFactory gstFactory = GenericSecurityTokenFactory.getInstance();
     UsernameToken myUnt = gstFactory.getFullUsernameToken("myUsername", null, true);

   • (V8502) Create a simple UsernameToken with a user name and password.

     import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
     import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
     ...
     GenericSecurityTokenFactory gstFactory = GenericSecurityTokenFactory.getInstance();
     UsernameToken myUnt = gstFactory.getSimpleUsernameToken("myUsername", "myPassword".toCharArray());

2. Create a JAAS login module. If we created a full UsernameToken in the previous step, create a JAAS login module that can be stacked on top of GenericIssuedTokenGenerateLoginModule to emit a full UsernameToken. If we created a simple UsernameToken in the previous step, create a JAAS login module that can be stacked on top of UNTGenerateLoginModule to emit a dynamic UsernameToken.

   • Create a JAAS login module that can be stacked on top of GenericIssuedTokenGenerateLoginModule to emit a full UsernameToken.

     (V8502) The following example applies if you are using v8.5.0.2 or later:

     package test.tokens;
      import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
     import java.util.HashMap;
     import java.util.Map;
      import javax.security.auth.Subject;
     import javax.security.auth.callback.CallbackHandler;
     import javax.security.auth.login.LoginException;
     import javax.security.auth.spi.LoginModule;
     import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
      import java.util.ArrayList;
      public class MyFullUntGenerator implements LoginModule {
        private Map _sharedState;
       private Map _options;
       private CallbackHandler _handler;
        public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
          this._handler = callbackHandler;
         this._sharedState = sharedState;
         this._options = options;     }
        public boolean login() throws LoginException {
         //For the sake of readability, this login module does not     //protect against all NPE's
          GenericSecurityTokenFactory factory = null;
         try {
           factory = GenericSecurityTokenFactory.getInstance();
         } catch (Exception e) {
           throw new LoginException(e.toString());
         }
         if (factory == null) {
           throw new LoginException("GenericSecurityTokenFactory.getInstance() returned null");
         }
          //The userid and password can be obtained however we want     UsernameToken unt = factory.getFullUsernameToken("myUsername", "myPassword".toCharArray());
           //Put the token in a list on the shared state where it will be available to be used by     //stacked login modules     factory.putGeneratorTokenToSharedState(_sharedState, unt);
          return true;
       }
       //implement the rest of the methods  required by the //LoginModule interface }

   • (V8502) Create a JAAS login module that can be stacked on top of UNTGenerateLoginModule to emit a dynamic UsernameToken

     package test.tokens;
      import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
     import java.util.HashMap;
     import java.util.Map;
      import javax.security.auth.Subject;
     import javax.security.auth.callback.CallbackHandler;
     import javax.security.auth.login.LoginException;
     import javax.security.auth.spi.LoginModule;
     import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
      import java.util.ArrayList;
      public class MySimpleUntGenerator implements LoginModule {
        private Map _sharedState;
       private Map _options;
       private CallbackHandler _handler;
        public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
          this._handler = callbackHandler;
         this._sharedState = sharedState;
         this._options = options;     }
        public boolean login() throws LoginException {
         //For the sake of readability, this login module does not     //protect against all NPE's
          GenericSecurityTokenFactory factory = null;
         try {
           factory = GenericSecurityTokenFactory.getInstance();
         } catch (Exception e) {
           throw new LoginException(e.toString());
         }
         if (factory == null) {
           throw new LoginException("GenericSecurityTokenFactory.getInstance() returned null");
         }
           //The userid and password can be obtained however we want     UsernameToken unt = factory.getSimpleUsernameToken("myUsername", "myPassword".toCharArray());
          //Put the token in a list on the shared state where it will be available to be used by     //stacked login modules     factory.putGeneratorTokenToSharedState(_sharedState, unt);
          return true;
       }
       //implement the rest of the methods  required by the //LoginModule interface }

3. Create a JAAS login configuration.

   1. Note the full class name of the custom login module created in the previous step. For example, test.tokens.MyFullUntGenerator.

   2. Note the full class name of the login module that you are stacking on. For example, com.ibm.ws.wssecurity.wssapi.token.impl.UNTGenerateLoginModule or com.ibm.ws.wssecurity.wssapi.token.impl.GenericIssuedTokenGenerateLoginModule.

   3. In the console, go to Security > Global security > Authentication, go to Java Authentication and Authorization Service > System logins.

   4. Click New, and under Alias, enter test.generate.unt.

   5. Under JAAS login modules, click New, and under Module class name, enter the name of the custom login module. Select Use login module proxy, and click OK.

   6. Click New, and under Module class name, enter the name of the login module that you are stacking on. Click OK.

4. Configure the UsernameToken token generator to use the new JAAS login configuration.

   1. In the console, open the bindings configuration to change.

   2. Select WS-Security > Authentication and protection > Authentication tokens, select the outbound UsernameToken to change.

   3. Under JAAS login, select test.generate.unt.

   4. Optional: If using GenericIssuedTokenGenerateLoginModule, add the passThroughToken=true custom property.

      1. Click Callback handler.

      2. Add the passThroughToken=true custom property.

      3. Click OK.

5. Click Save.

6. Restart the application server to apply the JAAS configuration changes.

7. Test the service.

Related tasks

Create custom security tokens for Web services security using the GenericSecurityTokenFactory SPIs

Generating and Consuming custom tokens with the Generic Issue Login Modules