Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Use the JAAS programming model for web authentication > Develop custom login modules for a system login configuration for JAAS > Customize application login with JAAS > 4. Configure a server-side JAAS authentication and login configuration. > Customize a server-side JAAS authentication and login configuration

Get the caller subject from the thread for JAAS

The Caller subject (or "received subject") contains the user authentication information used in the call for this request. This subject is returned after issuing the WSSubject.getCallerSubject API to prevent replacing existing objects. The subject is marked read-only. This API can be used to get access to the WSCredential credential so that you can put or set data in the hashmap within the credential.

You need the following Java 2 security permissions to run this API: permission javax.security.auth.AuthPermission "wssecurity.getCallerSubject;".

If you use the Kerberos authentication mechanism, the KDC policy enables Kerberos delegation and the client has a forwardable Kerberos ticket, the subject has the client Kerberos tickets and the GSS delegate credential. We can use APIs to access the Kerberos tickets and the GSS delegate credential.

Most data within the subject is not propagated downstream to another server. Only the credential token within the WSCredential credential is propagated downstream and a new caller subject is generated.

Procedure

1. Get the caller subject.

   caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();
   

2. Access the WSCredential credential.

   caller_cred = caller_subject.getPublicCredentials(com.ibm.websphere
   .security.cred.WSCredential.class).iterator().next();
   

3. Put or set data in the hashmap within the credential.

   String CALLERDATA = (String) caller_cred.get ("MYKEY");
   System.out.println("My data from the Caller credential is:  " + CALLERDATA);
   

4. Access the Kerberos tickets. For example:

           java.util.Set kerberosTickets = subject.getPrivateCredentials(KerberosTicket.class);
           if ( kerberosTickets.size() > 1)
               .println("Multiple Kerberos tickets found");
           Iterator credIter = kerberosTickets.iterator();
   

5. Access the GSS credential. For example:

      GSSCredential gssCred = subject.getPrivateCredentials(GSSCredential.class).iterator().next();
   

Example

try { javax.security.auth.Subject caller_subject; com.ibm.websphere.security.cred.WSCredential caller_cred;
caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();
if (caller_subject != null) { caller_cred = caller_subject.getPublicCredentials
     (com.ibm.websphere.security.cred.WSCredential.class).iterator().next();
String CALLERDATA = (String) caller_cred.get ("MYKEY");
System.out.println("My data from the Caller credential is:  " + CALLERDATA); } }
catch (WSSecurityException e) { // log error } catch (Exception e) { // log error }
Customize application login with JAAS
Customize a server-side JAAS authentication and login configuration

+

Search Tips   |   Advanced Search