WAS v8.5 > Secure applications > Authorizing access to resources

Use the SCA RequestContext.getSecuritySubject() API

The SCA RequestContext.getSecuritySubject() application programming interface returns a Java Authentication and Authorization (JAAS) subject that represents an authenticated user who accesses the protected SCA service.

SCA service developers can use the RequestContext.getSecuritySubject() API to obtain a JAAS Subject that represents the requester.

If one or more of the following preconditions are not met the SCA request is not authenticated, and the RequestContext.getSecuritySubject API returns a null Subject:

When using the RequestContext.getSecuritySubject() API, perform the following steps:

  1. Use the RequestContext.getSecuritySubject API in your file.

    The following example utilizes the OSOA RequestContext.getSecuritySubject API:

    import org.osoa.sca.annotations.Context;
    import org.osoa.sca.annotations.Service;
    import org.osoa.sca.RequestContext;
    import javax.security.auth.Subject;
    import java.security.Principal;
    import java.util.Iterator;
    import com.ibm.websphere.security.cred.WSCredential;
    
    @Service(EchoService.class)
    public class EchoServiceWithIdentityComponentImpl implements EchoService
    {
        @Context
        protected RequestContext requestContext;
    
        public String echo_String(String input)
        {
            try {
                Subject subject = null;
                String securityName = null;
    
                if (requestContext != null) {
                    subject = requestContext.getSecuritySubject();
                 }
    
                if (subject != null) {
                     java.util.Set principalSet = subject.getPrincipals();
                     if (principalSet != null && principalSet.size() > 0) {
                         Iterator principalIterator = principalSet.iterator();
                         if (principalIterator.hasNext()) {
                             Principal principal = (java.security.Principal) principalIterator.next();
                             securityName = principal.getName();
                         }
                     }
                }
             } catch (Exception ex) {
                   // Handle exception          }
         }}

    The same example applies to using the OASIS RequestContext.getSecuritySubject API with the exception of package name changes:

    import org.oasisopen.sca.annotation.Context;
    import org.oasisopen.sca.annotation.Service;
    import org.oasisopen.sca.RequestContext;
  2. We can obtain various security attributes of the request from the WSCredential object in the subject as shown in the following example:
    if (subject != null) {
        java.util.Set credSet = subject.getPublicCredentials();
        if (credSet != null && credSet.size() > 0)
        {
            Iterator credIterator = credSet.iterator();
            while (credIterator.hasNext()) {
                Object o = credIterator.next();
                WSCredential cred = null;
                if (o instanceof WSCredential) {
                    cred = (WSCredential) o;
                } else {
                    if (securityName == null) {
                        securityName = new StringBuffer();
                    }
                    securityName.append("\n>> Found a public credential: " + o.getClass().getName());
                }
                if (cred != null) {
                    if (securityName == null) {
                        securityName = new StringBuffer();
                    }
                    securityName.append("\n>> WSCredential security attributes . . .");
                    securityName.append("\n>> getAccessId = \t\t" + cred.getAccessId());
                    securityName.append("\n>> getGroupIds = \t\t" + cred.getGroupIds());
                    securityName.append("\n>> getPrimaryGroupId = \t\t" + cred.getPrimaryGroupId());
                    securityName.append("\n>> getRealmName = \t\t" + cred.getRealmName());
                    securityName.append("\n>> getRealmSecurityName = \t\t" + cred.getRealmSecurityName());
                    securityName.append("\n>> getRealmUniqueSecurityName = \t\t" + cred.getRealmUniqueSecurityName());
                    securityName.append("\n>> getSecurityName = \t\t" + cred.getSecurityName());
                    securityName.append("\n>> getUniqueSecurityName = \t\t" + cred.getUniqueSecurityName());
                } 
            }
        }}

    The principal identity consists of a realm name followed by the identity of the requester. For example, assume WebSphere Application Server is configured to use an LDAP server for authentication. The realm name is the LDAP server host name and the port number:

      security name = ldap1.austin.ibm.com:389/user2

    Sample output is shown below:

    >> WSCredential security attributes . . . 
    >> getAccessId =    user:ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us 
    >> getGroupIds =    [group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US] 
    >> getPrimaryGroupId =   group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US 
    >> getRealmName =   ldap1.austin.ibm.com:389 
    >> getRealmSecurityName =  ldap1.austin.ibm.com:389/user2 
    >> getRealmUniqueSecurityName = ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us 
    >> getSecurityName =   user2 
    >> getUniqueSecurityName =  cn=user2,o=ibm,c=us


Related


Use SCA authorization and security identity policies


+

Search Tips   |   Advanced Search