WAS v8.5 > Secure applications and their environment > Secure the Liberty profile and its applications > Developing extensions to the Liberty profile security infrastructure

Customizing an application login to perform an identity assertion using JAAS

Using the Java™ Authentication and Authorization Service (JAAS) login framework, we can create a JAAS login configuration that can be used to perform login to an identity assertion on the Liberty profile. By configuring identity assertion with trust validation, an application can use the JAAS login configuration to perform a programmatic identity assertion. See IdentityAssertionLoginModule for more detail.

Avoid trouble: If we use the developer tools to configure the JAAS custom login module, refer to the sample JAAS configuration jaasConfig.xml file in the ${wlp.install.dir}/templates/config directory, and make sure the configuration in your server.xml file is similar to the one in the sample file. See Configuring JAAS on the Liberty profile using WebSphere Studio.

To customize the application login to perform an identity assertion with trust validation, follow these steps:

  1. Delegate trust validation to a user implemented plug point.

    Trust validation is accomplished by a custom login module. This custom login module performs any trust validation required, then sets the trust and identity information in the shared state to be passed on to the identity assertion login module. A map is required in the following shared state key:

      com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state
    If the state is missing then a WSLoginFailedException is reported by the IdentityAssertionLoginModule.

    The map in the shared state key must include a trust key with the following key name:

      com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trust
    If this key is set to true, then trust is established. If the key is set to false, then no trust is established and the IdentityAssertionLoginModule creates a WSLoginFailedException.

    The map in the shared state key must also set one of the following resources:

    • An identity key. A java.security.Principal can be set in the following key:

        com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal
    • A java.security.cert.X509Certificate[]. This certificate can be set in the following key:

        com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certficates

    If both a principal and certificate are supplied, then the principal is used and a warning is reported.

  2. Create a JAAS configuration for application logins. The JAAS configuration will contain the user implemented trust validation custom login module and the IdentityAssertionLoginModule. Then to configure an application login configuration, add the following code in server.xml:
    <jaasLoginContextEntry id="CustomIdentityAssertion" name="CustomIdentityAssertion" 
                           loginModuleRef="customIdentityAssertion,identityAssertion" /> <jaasLoginModule id="customIdentityAssertion" 
                     className="com.ibm.ws.security.authentication.IdentityAssertionLoginModule" 
                     controlFlag="REQUIRED" libraryRef="customLoginLib"/> 	<library id="customLoginLib">     <fileset dir="${server.config.dir}" includes="IdentityAssertionLoginModule.jar"/>      
    	</library>
    This JAAS configuration is then used by the application to perform an Identity Assertion.
  3. Perform the programmable identity assertion. A program can now use the JAAS login configuration to perform a programmatic identity assertion. The application program can create a login context for the JAAS configuration created in step 2, then login to that login context with the identity they would assert to. If the login is successful then that identity can be set in the current running process. Here is an example of how such code would operate:
    NameCallback handler = new NameCallback(new MyPrincipal("Joe"));
    LoginContext lc = new LoginContext("customIdentityAssertion", handler);
    lc.login();  //assume successful Subject s = lc.getSubject();
    WSSubject.setRunAsSubject(s);
    // From here on , the runas identity is "Joe"

    The MyPrincipal class is the implementation of java.security.Principal interface in the example.

Results

Using the JAAS login framework and two user implemented login modules, we can create a JAAS login configuration that can be used to perform login to an identity assertion.


Parent topic: Developing extensions to the Liberty profile security infrastructure


|