(V8502)

Generating and consuming SAML tokens using stacked JAAS login modules

We can use the GenericSecurityTokenFactory APIs to pass a SAML token that you have created to the SAMLGenerateLoginModule or GenericIssuedTokenGenerateLoginModule modules. We can also use these APIs to obtain SAML tokens that are consumed by SAMLConsumeLoginModule or GenericIssuedTokenConsumeLoginModule modules.

We must have a functioning set of JAX-WS service client and provider applications to which we can add new JAAS login module classes.

In this task, you will stack a custom login module above SAMLGenerateLoginModule for SAML token generation and one under SAMLConsumeLoginModule for SAML token consumption.

Although we can stack a login module under SAMLGenerateLoginModule to inspect a SAML token that has been created by that class, we cannot modify the SAML token that is obtained in this way unless the token does not contain a digital signature. If we modify a SAML token containing a digital signature, the XML for the SAML token will be adjusted for the updates; but, because the token was signed before you updated it, the signature validation will fail on the receiver.

This task generates a SAML 1.1 bearer token, but we can use any SAML version and type that is supported by the runtime environment. For more information about creating and modifying SAML tokens with the GenericSecurityTokenFactory APIs, see Developing SAML applications. For more information about how to place the token on the client's request context instead of using a JAAS login module, see the com.ibm.wsspi.wssecurity.token.tokenHolder and com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext constants in com.ibm.wsspi.wssecurity.core.Constants.

1. Create the following generator JAAS login module and make it available to the application code.

   package test.tokens;
   
   import java.util.ArrayList;
   import java.util.Map;
   import javax.security.auth.Subject;
   import javax.security.auth.callback.CallbackHandler;
   import javax.security.auth.login.LoginException;
   import javax.security.auth.spi.LoginModule;
   import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
   import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
   import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory;
   import com.ibm.wsspi.wssecurity.saml.config.CredentialConfig;
   import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
   import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
   import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute;
   
   public class MySamlGenerator implements LoginModule {
   
     private Map _sharedState;
     private Map _options;
     private CallbackHandler _handler;
   
     public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
   
       this._handler = callbackHandler;
       this._sharedState = sharedState;
       this._options = options;  
     }
     public boolean login() throws LoginException {
   
       GenericSecurityTokenFactory factory = null;
       try {
         factory = GenericSecurityTokenFactory.getInstance();
       } catch (Exception e) {
         throw new LoginException(e.toString());
       }
       if (factory == null) {
         throw new LoginException("GenericSecurityTokenFactory.getInstance() returned null");
       }
       SAMLToken myToken = null;
       try {
         myToken = createSamlToken();
       } catch (Exception e) {
         throw new LoginException(e.toString());
       }
       if (myToken == null) {
         throw new LoginException("myToken is null");
       }
   
       //Put the token in a list on the shared state where it will be available to be used by     //stacked login modules     factory.putGeneratorTokenToSharedState(_sharedState, myToken);
   
       return true;
     }
   
     private SAMLToken createSamlToken() throws Exception {
       //SAML Bearer example 
       SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11);
       RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig();
       reqData.setAuthenticationMethod("Password"); //Authentication method for Assertion
   
       ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("self-issue");
   
       CredentialConfig cred = samlFactory.newCredentialConfig ();
       cred.setRequesterNameID("Alice");   // SAML NameIdentifier
      
       //Add some SAML attributes: 
       SAMLAttribute attribute = new SAMLAttribute
         ("email", new String[] {"joe@websphere"},null, "WebSphere", "email", "joe");
       ArrayList<SAMLAttribute> al = new ArrayList<SAMLAttribute>();
       al.add(attribute);
       attribute = new SAMLAttribute("Membership", 
         new String[] {"Super users", "My team"}, null, null, null, null  );
       al.add(attribute);
       cred.setSAMLAttributes(al);
   
       SAMLToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
   
       return samlToken;
     }
   
     public boolean logout() throws LoginException {
       return false;
     } 
     public boolean abort() throws LoginException {
       return false;
     }
     public boolean commit() throws LoginException {
       return true;
     }
   }

2. Create the following consumer JAAS login module and make it available to the application code.

   package test.tokens;
   
   import java.util.Map;
   import javax.security.auth.Subject;
   import javax.security.auth.callback.CallbackHandler;
   import javax.security.auth.login.LoginException;
   import javax.security.auth.spi.LoginModule;
   import javax.xml.namespace.QName;
   import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
   import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
   import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory;
   import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
   
   public class MySamlConsumer implements LoginModule {
   
     private Map _sharedState;
     private Map _options;
     private CallbackHandler _handler;
   
     public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
   
       this._handler = callbackHandler;
       this._sharedState = sharedState;
       this._options = options;  
     }
     public boolean login() throws LoginException {
   
       GenericSecurityTokenFactory factory = null;
       try {
         factory = GenericSecurityTokenFactory.getInstance();
       } catch (Exception e) {
         throw new LoginException(e.toString());
       }
       if (factory == null) {
         throw new LoginException("GenericSecurityTokenFactory.getInstance() returned null");
       }
       //Get the token that was consumed by the GenericIssuedConsumeLoginModule
       SecurityToken myToken = factory.getConsumerTokenFromSharedState(_sharedState, new QName(SAMLTokenFactory.WssSamlV11Token11));
       if (myToken == null) {
           throw new LoginException("myToken is null");
       }
       if (myToken instanceof SAMLToken) {
        //Examine the SAML token with SAML APIs      SAMLToken samlToken = (SAMLToken)myToken;
        String id = samlToken.getSamlID();
        String subjectDns = samlToken.getSubjectDNS();
        //... 
       } else {
        throw new LoginException("Did not receive a SAML token");
       }
       return true;
     }
     public boolean logout() throws LoginException {
       return false;
     } 
     public boolean abort() throws LoginException {
       return false;
     }
     public boolean commit() throws LoginException {
       return true;
     }
   }

3. Create a JAAS login configuration.

   1. In the console, go to Security > Global security > Authentication, go to Java Authentication and Authorization Service > System logins.

   2. Create the SAML token generator.

      1. Click New, and under Alias, enter test.generate.saml.

      2. Under JAAS login modules, click New, and under Module class name, enter test.tokens.MySamlGenerator. Select Use login module proxy, and click OK.

      3. Click New, and under Module class name, enter com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule. Click OK.

   3. Create the SAML token consumer.

      1. Click JAAS - System logins in the breadcrumbs to return to the JAAS system logins page.

      2. Click New, and under Alias, enter test.consume.saml.

      3. Under JAAS login modules, click New, and under Module class name, enter com.ibm.ws.wssecurity.wssapi.token.impl.SAMLConsumeLoginModule. Select Use login module proxy, and click OK.

      4. Click Save.

4. Configure the SAML token generator to use the new JAAS login configuration.

   1. In the console, open the bindings configuration to change.

   2. Select WS-Security > Authentication and protection > Authentication tokens, select the SAML outbound token to change.

   3. Under JAAS login, select test.generate.saml.

5. Configure the SAML token consumer to use the new JAAS configuration.

   1. In the console, open the bindings configuration to change.

   2. Select WS-Security > Authentication and protection > Authentication tokens, select the SAML inbound token to change.

   3. Under JAAS login, select test.consume.saml.

6. Click Save.

7. Restart the application server to apply the JAAS configuration changes.

8. Test the service.

Related tasks

Develop SAML applications

Programming Interfaces (APIs)