Example: Custom login module for inbound mapping
This sample shows a custom login module that creates a java.util.Hashtable hashtable that is based on the specified NameCallback callback. The java.util.Hashtable hashtable is added to the sharedState java.util.Map map so that the WebSphere Application Server login modules can locate the information in the Hashtable.
public customLoginModule() { public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { // (For more information on initialization, see // Custom login module development for a system login configuration.) _sharedState = sharedState; } public boolean login() throws LoginException { // (For more information on what to do during login, see // Custom login module development for a system login configuration.) // Handles the WSTokenHolderCallback to see if this is an initial or // propagation login. javax.security.auth.callback.Callback callbacks[] = new javax.security.auth.callback.Callback[3]; callbacks[0] = new javax.security.auth.callback.NameCallback(""); callbacks[1] = new javax.security.auth.callback.PasswordCallback( "Password: ", false); callbacks[2] = new com.ibm.websphere.security.auth.callback. WSCredTokenCallbackImpl(""); callbacks[3] = new com.ibm.wsspi.security.auth.callback. WSTokenHolderCallback(""); try { callbackHandler.handle(callbacks); } catch (Exception e) { // Handles the exception } // Determines which callbacks contain information boolean identitySwitched = false; String uid = ((NameCallback) callbacks[0]).getName(); char password[] = ((PasswordCallback) callbacks[1]).getPassword(); byte[] credToken = ((WSCredTokenCallbackImpl) callbacks[2]).getCredToken(); java.util.List authzTokenList = ((WSTokenHolderCallback) callbacks[3]). getTokenHolderList(); if (credToken != null) { try { String uniqueID = WSSecurityPropagationHelper.validateLTPAToken(credToken); String realm = WSSecurityPropagationHelper.getRealmFromUniqueID (uniqueID); // Set the string to the UID so you can use the information to either // map or login. uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueID); } catch (Exception e) { // handle exception } } else if (uid == null) { // The authentication data is not valid. You must have either UID // or CredToken throw new WSLoginFailedException("invalid authentication data."); } else if (uid != null && password != null) { // This is a typical authentication. You can choose to map this ID to // another ID or you can skip it and allow WAS // to log in for you. When passwords are presented, be very careful not // to validate the password because this is the initial authentication. return true; } // You can map this uid to something else and set the identitySwitched // boolean. If the identity is changed, clear the following propagated // attributes so they are not used incorrectly. uid = myCustomMappingRoutine (uid); // Clear the propagated attributes because they no longer apply to the new identity if (identitySwitched) { ((WSTokenHolderCallback) callbacks[3]).setTokenHolderList(null); } boolean requiresLogin = ((com.ibm.wsspi.security.auth.callback. WSTokenHolderCallback) callbacks[2]).requiresLogin(); if (requiresLogin || identitySwitched) { // Retrieves the default InitialContext for this server. javax.naming.InitialContext ctx = new javax.naming.InitialContext(); // Retrieves the local UserRegistry object. com.ibm.websphere.security.UserRegistry reg = (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry"); // Retrieves the registry uniqueID based on the uid that is specified // in the NameCallback. String uniqueid = reg.getUniqueUserId(uid); uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueID); // Retrieves the display name from the user registry based on the uniqueID. String securityName = reg.getUserSecurityName(uid); // Retrieves the groups associated with this uniqueID. java.util.List groupList = reg.getUniqueGroupIds(uid); // Creates the java.util.Hashtable with the information that you gathered // from the UserRegistry. java.util.Hashtable hashtable = new java.util.Hashtable(); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_UNIQUEID, uniqueid); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_SECURITYNAME, securityName); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_GROUPS, groupList); // Adds a cache key that is used as part of the lookup mechanism for // the created Subject. The cache key can be an object, but has // an implemented toString method. Make sure the cacheKey contains enough // information to scope it to the user and any additional attributes you are // using. If you do not specify this property, the Subject is scoped to the // WSCREDENTIAL_UNIQUEID returned, by default. hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_CACHE_KEY, "myCustomAttribute" + uniqueid); // Adds the hashtable to the shared state of the Subject. _sharedState.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_PROPERTIES_KEY, hashtable); } else if (requiresLogin == false) { // For more information on this section, see // Security attribute propagation. // If you added a custom Token implementation, you can search through the // token holder list for it to deserialize. //Any Java objects are automatically deserialized by // wsMapDefaultInboundLoginModule for (int i=0; i<authzTokenList.size(); i++) { if (authzTokenList[i].getName().equals("com.acme.MyCustomTokenImpl") { byte[] myTokenBytes = authzTokenList[i].getBytes(); // Passes these bytes into the constructor of your implementation // class for deserialization. com.acme.MyCustomTokenImpl myTokenImpl = new com.acme.MyCustomTokenImpl(myTokenBytes); } } } } public boolean commit() throws LoginException { // (For more information on what to do during a commit, see // Custom login module development for a system login configuration.) } // Defines your login module variables com.ibm.wsspi.security.token.AuthorizationToken customAuthzToken = null; com.ibm.wsspi.security.token.AuthenticationToken defaultAuthToken = null; java.util.Map _sharedState = null; }
Related concepts
Security attribute propagation
Related tasks
Configure inbound identity mapping
Related Reference
Custom login module development for a system login configuration
Reference topic