Portlet authentication


  1. Overview
  2. Credential vault organization
  3. Vault segments
  4. Vault slots
  5. Credential objects
  6. Credential vault usage scenarios
  7. Credential vault samples
  8. Change the credential vault encryption


Overview

WebSphere Portal uses CORBA credentials and an encrypted LTPA cookie to authenticate users. To access backend systems that require their own authentication, portlets need to provide some form of authentication. For single sign-on, portlets must store and retrieve user credentials for associated applications, and use those credentials to log in on behalf of the user. WebSphere Portal has a credential vault for stored credentials. Portlets written to extract the user's credentials from the vault, using the credential vault portlet service (CredentialVaultService), can hide the login challenge from the user.


Credential vault organization

The portal administrator can partition the vault into several vault segments. Vault segments can be created and configured only by portal administrators.

A vault segment contains one or more vault slots, which are the "drawers" where portlets store and retrieve a user's credentials. Each slot holds one credential.

A vault slot is linked to a resource in a vault implementation.


Vault segments

A vault segment is flagged to be either administrator-managed or user-managed. While portlets (on behalf of a portal user) can set and retrieve credentials in both types of segments, they are permitted to create vault slots only in user-managed vault segments. The following figure shows how administrator-managed vault segments can be distributed among different vault implementations. There is only one user-managed vault segment, and it resides in the default-customization vault provided by WebSphere Portal.


Vault slots

The credential vault provided by WebSphere Portal distinguishes between four different types of vault slots:

Vault Slots in administrator-managed vault segments:

Vault Slots in user-managed vault segments:

Constraints:

Vault Slot Type Segment type Shared Creation through Secret Sharing
System Slot administrator-managed true Credential Vault administrative portlet One secret per system. Shared among all users and portlets
Administrative Slot administrator-managed false Credential Vault administrative portlet One secret per user. Shared among all of user's portlets
Shared User Slot user-managed true Credential Vault portlet service One secret per user. Shared among all of user's portlets
Portlet Private Slot user-managed false Credential Vault portlet service One secret per user and portlet entity. Not shared among portlets


Credential objects

The credential vault portlet service returns credentials in form of credential objects. The following are the base interface classes for all credential objects:

WebSphere Portal differentiates between passive and active credential objects.

Active credential objects allow portlets to trigger authentication to remote servers using standard mechanisms such as basic authentication, HTTP form-based authentication, or POP3 authentication, without obtaining the credential secrets. They can ask the portal to authenticate on their behalf and then use already authenticated connections. From a security point of view the portlets never access the credential secrets and thus there is no risk a portlet could violate any security rules like, for example, storing the secret on the portlet session. While there might not always be an appropriate active credential class available, it is the preferred type of credential object to use.

All credential types that are available within the portal are registered in a credential type registry. WebSphere Portal provides a small set of credential types, but additional credential objects can be registered in this registry.

The ActiveCredential and PassiveCredential interfaces inherit from the Credential base interface. The following topics describe the different types of active and passive credential objects provided by WebSphere Portal:
Passive Credential Objects:

SimplePassive Stores secrets in the form of serializable Java objects. As the vault service does currently not support binary large object (BLOB) secrets, this is intended for future use only.
UserPasswordPassive Credential object that stores secrets in the form of userid/password pairs.
JaasSubjectPassive Credential object that stores secrets in form of javax.security.auth.Subject objects. Again, this kind of secret cannot currently be stored by the vault service. It is used as a transient credential that is not persisted but taken from the user's session.
BinaryPassiveCredential Credential object that stores secrets in the form of a byte array.


Active Credential Objects:

BinaryCredential Stores secrets in binary form.
UserPasswordCredential
HttpBasicAuth Stores userid/password secrets and supports HTTP Basic Authentication.
HttpFormBasedAuth Stores userid/password secrets and supports HTTP Form-Based Authentication.
JavaMail A credential object that stores userid/password pairs and uses the authentication functionality of the javax.mail API.

JaasSubjectCredential The following credentials store the user's secret as a JAAS Subject. These credentials are not persisted in the Credential Vault but created from the user's JAAS Subject associated with the current session.

LtpaToken or LtpaToken2 A credential object for authenticating with a backend system that is within the same WAS single sign-on domain as the portal. LtpaToken2 is only available if attribute propagation is enabled.

Computer Associates eTrust SiteMinder Token A credential object for authenticating with a backend system that is within the same eTrust SiteMinder single sign-on domain as the portal. This credential should be used when eTrust SiteMinder is used as an authentication proxy for the portal.
WebSealToken A credential object for authenticating with a backend system that is within the same WebSEAL single sign-on domain as the portal. This credential should be used when a WebSEAL authentication proxy is used by the portal.
SSMTokenCredential A credential object for authenticating with a back-end system that is within the same Openwave SSM single sign-on domain as the portal. This credential should be used when Openwave SSM is the authentication proxy for the portal authentication. The credential needs to be provided in form of the portal's JAAS Subject containing a private credential that holds the user's SSMCredential.


Store credential objects in the PortletSession

Credential objects do not implement java.io.Serializable - they cannot simply be stored in the PortletSession. This is for security reasons. Because the credential classes store the actual credential secret as one of their private attributes, the secret could be found by anyone who has access to the application server session database.

However, you can store a credential object in the PortletSession as long as you ensure sure that it is not serialized in a clustered environment. One way of doing this would be to define a credential container class that stores the actual credential object as a transient member. This container object can then be stored in the PortletSession without any problems, you only have to make sure to check whether the credential object got lost during serialization and in this case retrieve it from the vault again.

import com.ibm.portal.portlet.service.credentialvault.credentials.Credential;
 
public class CredentialSessionContainer implements java.io.Serializable
{
   private transient Credential credential = null;
 
   public void setCredential(Credential cred) {this.credential = cred;}
 
   public Credential getCredential() {return credential;}
 
   public boolean hasCredential() {return credential != null;}
}


Credential vault usage scenarios

Portlets that need a credential to complete their service have two options:

  1. Use an existing slot that has been defined by the portal administrator in an administrator-managed vault segment.

  2. Create a new slot in the user-managed vault segment.

The option you choose depends on how the portlet will be used. Generally, the best solution hides the technical details of the credential vault from users. Additionally, Active Credentials of the type JaasSubjectCredential provide the portlet with the ability to access resources within the same single sign-on domain as the portal.

The following are some example scenarios for the use of slots.
Intranet Lotus Notes mail portlet

A company has an intranet employee portal. Each portal user has a Lotus Notes mail server account and a Lotus Notes mail portlet will be deployed and pre-configured on one of the employee's default portal pages.

Design solution:

The Notes mail portlet needs to store the user's Notes password. As most users will actually use this portlet, the administrator needs to create a "Lotus Notes Credential Slot" for it through the Credential Vault administrative portlet. Using the portlet's configure mode, the administrator sets the vault slot ID for all portlet entries. The portlet allows users to set their personal Notes password in edit mode. The portlet can store each user's password in the credential vault.

If the company would use a Lotus Domino server within the same single sign-on domain as portal, it would also be possible to use an LTPAToken Credential based on the user's JAAS Subject. This credential offers access to the domino server through an authenticated connection that reuses the user's LTPA token.


Stock of inventory portlet

A company's buying department runs a portal that integrates different legacy applications. One of these applications is a mainframe ordering application that directly connects to the systems of the suppliers. Several employees use the ordering portlet. However, the mainframe application is secured by a single system ID; it does not support several user accounts.

Design solution: The ordering portlet needs to access the ordering application under the system ID. The administrator configures the vault slot ID during portlet deployment. The portal administrator therefore creates a vault slot in an administrator-managed vault segment and marks it as a system credential. The administrator uses the Credential vault portlet to store the ordering system ID and password in this slot. The buying department's employees do not have to be concerned with credentials at all.


Internet Mail federating POP3 portlet

An Internet community portal offers, among other features, a mail-federating portlet that can be used by a portal user to collect mail from a number of POP3 mail accounts.

Design solution: The mail federating portlet is just another feature of the community portal and thus is likely to be used only by some of the portal users. Furthermore, it is not clear from the outset how many mail accounts a user wants to federate. Therefore, it does not make sense for the portal administrator to create a vault slot for this portlet. Instead, the portlet provides users with a comfortable configuration in edit mode. Users can add as many POP3 mailboxes as necessary. The portlet creates a vault slot for each of the user's mailboxes in the user-managed vault segment.

Theoretically, a user could configure two instances of the portlet on a page, one for business accounts and one for private mail accounts. Therefore, and because it most likely doesn't make sense to share the user's mail credentials with other portlets, the portlet created vault slots are better marked as portlet private.


Credential vault samples

This section contains sample code for using the credential vault service. See the Portlet API Javadoc documentation for further information about the methods of the CredentialVaultService.

Standard portlet example from Rational Application Developer

When you use the portlet wizard in Rational Application Developer to create portlets that use the credential vault portlet service, the wizard generates a SecretManager class for you that handles common tasks. The session bean generated by the wizard includes getters and setters for the secret type and vault slot name. The following examples show code that could be generated for you, depending on selections, when you create a JSR 168 portlet project. This code is only a demonstration of how you can use the credential vault. Any code that is generated must be further customized for specific application requirements.

  1. Retrieve the credential vault portlet service.

    This code is placed in the init() method of the SecretManager and is called from the init() of the main portlet class. See Access portlet services for general information about how portlet services are retrieved using JNDI.

    public static void init(PortletConfig config) throws PortletException {
      try {
        if( vaultService == null ) {
          Context ctx = new InitialContext();
          PortletServiceHome cvsHome = 
            (PortletServiceHome)ctx.lookup("portletservice/com.ibm.portal.portlet.
               service.credentialvault.CredentialVaultService"); 
          if (cvsHome != null) {
            vaultService = (CredentialVaultService)cvsHome.getPortletService
              (CredentialVaultService.class);
          }
        }
      } catch (Exception e) {
        throw(new PortletException("Error on init()", e)); 
      }
    }
    
    
    

  2. Set the credential.

    The portlet's processAction() method gets the USERID and PASSWORD parameters on the action request from the edit JSP. If both parameters are not null, then these are used to set the credential.

    if( request.getParameter(USER_SUBMIT) != null ) {
       // Set userId/password text in the credential vault
       PortletSessionBean sessionBean = getSessionBean(request);
       if( sessionBean!=null ) {
          String userID   = request.getParameter(USERID);
          String password = request.getParameter(PASSWORD);
          // save only if both parameters are set
          if(userID!=null && password!=null && !userID.trim().equals("") && 
            !password.trim().equals("")) {
             try {
                SecretManager.setCredential(request,sessionBean,userID,password);
             }
             catch (Exception e) {
                //Exception Handling
             }
          }
       }
    }
    
    
    

    The setCredential() method in the SecretManager class determines if the portlet can write to the slot and if the slot ID has content. If so, it uses the setCredentialSecretUserPassword() method of the credential vault service to set the credential to the slot.

    public static boolean setCredential(PortletRequest portletRequest,
                                        PortletSessionBean sessionBean,
                                        String userID,
                                        String password)  throws PortletException {
    try {
       if( isWritable(sessionBean) ) {
          String slotId = getSlotId(portletRequest,sessionBean,true); // create
            slot if necessary
          if( slotId != null ) {
             vaultService.setCredentialSecretUserPassword(slotId,userID,password.
            toCharArray(),portletRequest);
             return true;
          }
       }
    }
    catch( CredentialVaultException e) {
    			//Exception Handling
    }
    return false;
    }
    
    
    

  3. Get a slot for storing the user's credentials.

    The setCredential() method calls this method to either create a new slot or use an existing, accessible slot.

    • The slot name is set as a portlet preference so that it can be changed by the administrator to any slots created using the portal administration interface.

    • For a portlet private slot, this method creates a new slot if the slot name from the portlet preferences is null. The createNewSlot() method is another custom method of SecretManager that uses to createCredentialSlot() method of the credential vault service. This method can only create non-system slots and returns a CredentialSlotConfig object. The slotID of the new slot is stored in the portlet preferences and is used to update and retrieve the portlet private credentials.

    • For a shared slot, this method searches for a shared resource name from accessible slots. If a shared slot is not available, it creates a new slot.

    private static String getSlotId(PortletRequest portletRequest, 
                                    PortletSessionBean sessionBean, 
                                    boolean bCreate)  throws PortletException {
       String slotId = null;
       String slotName = sessionBean.getVaultSlotName();
       switch( sessionBean.getSecretType() ) {
          case SECRET_PORTLET_PRIVATE_SLOT:
             PortletPreferences prefs = portletRequest.getPreferences();
             String prefsKey = ".slot."+portletRequest.getRemoteUser()+".
               "+slotName;
             slotId = prefs.getValue(prefsKey,null);
             if( slotId==null && bCreate ) {
                slotId = createNewSlot(portletRequest,slotName, true);  // 
                  create private slot
                if( slotId != null ) {
                   try {
                      prefs.setValue(prefsKey,slotId);
                      prefs.store();
                   }
                   catch( Exception e ) {
                      throw(new PortletException("Error on PortletPreferences.
                        store()", e));
                   }
                }
             }
             break;
          case SECRET_SHARED_SLOT:
             try {
                Iterator it = vaultService.getAccessibleSlots(portletRequest);
                while( it.hasNext() ) {
                   CredentialSlotConfig config = (CredentialSlotConfig)it.next() ;
                   //searches for shared resource name
                   if( config.getResourceName().startsWith(slotName ) ) {
                      slotId = config.getSlotId();
                      break;
                   }
                }
                if( slotId==null && bCreate )
                    slotId = createNewSlot(portletRequest,slotName,false);  
                      // create shared slot
             }
             catch( CredentialVaultException e) {
             // exception handling goes here
             }
             break;
          default:
             slotId = slotName;
             break;
       }
       return slotId;
    }
    
    
    

  4. Retrieve the credential

    Both the doView() and doEdit method call getCredential() from the SecretManager. For the case of passive credentials, this portlet sets the USERID and PASSWORD returned from this method as attributes on the request.

    StringBuffer userId = new StringBuffer("");
    StringBuffer password = new StringBuffer("");
    try {
       SecretManager.getCredential(request,sessionBean,userId, password);
    }
    catch( Exception e ) {
       getPortletContext().log("Exception on SecretManager.getCredential(): "+e.getMessage());
    }
    request.setAttribute(USERID,userId.toString());
    request.setAttribute(PASSWORD,password.toString());
    
    
    

    The getCredential() method of SecretManager handles UserPasswordPassiveCredential types. The type of credential is set as an Integer in the portlet preferences. The getCredential() method of the credential vault service is used to obtain the credentials stored in the slot.

    public static void getCredential(PortletRequest portletRequest,
                                     PortletSessionBean sessionBean,
                                     StringBuffer userid, 
                                     StringBuffer password) throws PortletException {
       try {
          String slotId = getSlotId(portletRequest,sessionBean,false);
             if( slotId != null ) {
                UserPasswordPassiveCredential credential = 
                   (UserPasswordPassiveCredential)vaultService.getCredential
                      (slotId,CredentialTypes.USER_PASSWORD_PASSIVE,new 
                        HashMap(),portletRequest);
                if( credential != null) {
                   userid.append(credential.getUserId());
                   password.append(String.valueOf(credential.getPassword()));
                }
             }
       }
       catch( CredentialVaultException e) {
       // exception handling goes here
       }
    }
    
    
    

IBM example that reads a credential from the vault


Change the credential vault encryption

WebSphere Portal supports plugging in different vault adapters for the storage and retrieval of credentials. The default vault adapter that ships with WebSphere Portal stores user credentials in the portal configuration database. By default, the passwords are only obfuscated, but not encrypted.

See the How to change the encryption of the credential vault in WebSphere Portal technote for information on how to extend the default vault adapter to use own encryption code for encrypting and decrypting the passwords.


Parent

Understand the basics


+

Search Tips   |   Advanced Search