WAS v8.5 > Reference > Administrator examplesExample: Custom login module for inbound mapping
This sample shows a custom login module that creates a java.util.Hashtable hashtable based on the specified NameCallback callback. The java.util.Hashtable hashtable is added to the sharedState java.util.Map map so the WebSphere Application Server login modules can locate the information in the Hashtable.
public customLoginModule() { public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { // (For more information on initialization, see // Develop custom login modules for a system login configuration for JAAS.) _sharedState = sharedState;} public boolean login() throws LoginException { // (For more information on what to do during login, see // Develop custom login modules for a system login configuration for JAAS.) // Handles the WSTokenHolderCallback to see if this is an initial or // propagation login. javax.security.auth.callback.Callback callbacks[] = new javax.security.auth.callback.Callback[3]; callbacks[0] = new javax.security.auth.callback.NameCallback(""); callbacks[1] = new javax.security.auth.callback.PasswordCallback( "Password: ", false); callbacks[2] = new com.ibm.websphere.security.auth.callback. WSCredTokenCallbackImpl(""); callbacks[3] = new com.ibm.wsspi.security.auth.callback. WSTokenHolderCallback(""); try { callbackHandler.handle(callbacks); } catch (Exception e) { // Handles the exception } // Determines which callbacks contain information boolean identitySwitched = false; String uid = ((NameCallback) callbacks[0]).getName(); char password[] = ((PasswordCallback) callbacks[1]).getPassword(); byte[] credToken = ((WSCredTokenCallbackImpl) callbacks[2]).getCredToken(); java.util.List authzTokenList = ((WSTokenHolderCallback) callbacks[3]). getTokenHolderList(); if (credToken != null) { try { String uniqueID = WSSecurityPropagationHelper.validateLTPAToken(credToken); String realm = WSSecurityPropagationHelper.getRealmFromUniqueID (uniqueID); // Set the string to the UID so we can use the information to either // map or login. uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueid); } catch (Exception e) { // handle exception } } else if (uid == null) { // The authentication data is not valid. You must have either UID // or CredToken throw new WSLoginFailedException("invalid authentication data."); } else if (uid != null && password != null) { // This is a typical authentication. Choose to map this ID to // another ID or we can skip it and allow WAS // to log in for you. When passwords are presented, be very careful not // to validate the password because this is the initial authentication. return true; } // We can map this uid to something else and set the identitySwitched // boolean. If the identity is changed, clear the following propagated // attributes so they are not used incorrectly. uid = myCustomMappingRoutine (uid); // Clear the propagated attributes because they no longer apply to the new identity if (identitySwitched) { ((WSTokenHolderCallback) callbacks[3]).setTokenHolderList(null); } boolean requiresLogin = ((com.ibm.wsspi.security.auth.callback. WSTokenHolderCallback) callbacks[2]).getRequiresLogin(); if (requiresLogin || identitySwitched) { // Retrieve the default InitialContext for this server. javax.naming.InitialContext ctx = new javax.naming.InitialContext(); // Retrieve the local UserRegistry object. com.ibm.websphere.security.UserRegistry reg = (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry"); // Retrieve the registry uniqueID based on the uid specified // in the NameCallback. String uniqueid = reg.getUniqueUserId(uid); uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueid); // Retrieve the display name from the user registry based on the uniqueID. String securityName = reg.getUserSecurityName(uid); // Retrieve the groups associated with this uniqueID. java.util.List groupList = reg.getUniqueGroupIds(uid); // Creates the java.util.Hashtable with the information that you gathered // from the UserRegistry. java.util.Hashtable hashtable = new java.util.Hashtable(); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_UNIQUEID, uniqueid); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_SECURITYNAME, securityName); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_GROUPS, groupList); // Adds a cache key used as part of the lookup mechanism for // the created Subject. The cache key can be an object, but has // an implemented toString method. Verify the cacheKey contains enough // information to scope it to the user and any additional attributes you are // using. If we do not specify this property, the Subject is scoped to the // WSCREDENTIAL_UNIQUEID returned, by default. hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_CACHE_KEY, "myCustomAttribute" + uniqueid); // Adds the hashtable to the shared state of the Subject. _sharedState.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_PROPERTIES_KEY, hashtable); } else if (requiresLogin == false) { // For more information on this section, see // Security attribute propagation. // If you added a custom Token implementation, we can search through the // token holder list for it to deserialize. // Note: Any Java objects are automatically deserialized by // wsMapDefaultInboundLoginModule for (int i=0; i<authzTokenList.size(); i++) { TokenHolder tokenHolder = (TokenHolder) authzTokenList.get(i); if (tokenHolder.getName().equals("com.acme.MyCustomTokenImpl")) { byte[] myTokenBytes = tokenHolder.getBytes(); // Passes these bytes into the constructor of your implementation // class for deserialization. com.acme.MyCustomTokenImpl myTokenImpl = new com.acme.MyCustomTokenImpl(myTokenBytes); } } }} public boolean commit() throws LoginException { // (For more information on what to do during a commit, see // Develop custom login modules for a system login configuration for JAAS.)} // Defines the login module variables com.ibm.wsspi.security.token.AuthorizationToken customAuthzToken = null; com.ibm.wsspi.security.token.AuthenticationToken defaultAuthToken = null; java.util.Map _sharedState = null;}
Related concepts:
Security attribute propagation
Related
Configure inbound identity mapping
Develop custom login modules for a system login configuration for JAAS