Enabling identity assertion with trust validation using JAAS

By enabling identity assertion with trust validation, an application can use the JAAS login configuration to perform a programmatic identity assertion.

About this task

To enable an identity assertion with trust validation, follow these steps:

Procedure

  1. Create a custom login module to perform a trust validation.
    The login module must set trust and identity information in the shared state, which is then passed on to the IdentityAssertionLoginModule. The trust and identity information is stored in a map in the shared state under the key, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state. If this key is missing from the shared state, a WSLoginFailedException error is thrown by the IdentityAssertionLoginModule module. The custom login module should include the following:
    • A trust key named com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted. If the trust key is set to true, trust is established. If the trust key is set to false, the IdentityAssertionLoginModule module creates a WSLoginFailedException error.
    • The identity of the java.security.Principal type set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal key.
    • The identity in the form of a java,security.cert.X509Certificate[] certificate set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates key.
    Note: If both a principal and a certificate are supplied, the principal is used, and a warning is issued.
  2. Create a new Java™ Authentication and Authorization Service (JAAS) configuration for application logins.
    It contains the user-implemented trust validation custom login module and the IdentityAssertionLoginModule module. To configure an application login configuration from the administrative console, complete the following steps:
    1. Click Security > Global security.
    2. Under Java Authentication and Authorization Service, click Application logins > New.
    3. Supply the JAAS configuration with an alias, and then click Apply.
    4. Under Additional properties, click JAAS Login Modules > New.
    5. Enter the module class name of the user-implemented trust validation custom login module, and then click Apply.
    6. Enter the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule module class name.
    7. Make sure that the module class name classes are in the correct order. The user-implemented trust validation login module must be the first class in the list, and the IdentityAssertionLoginModule module must be the second class.
    8. Click Save. The new JAAS configuration is used by the application to perform an identity assertion.

What to do next

An application can now use the JAAS login configuration to perform a programmatic identity assertion. The application can create a login context for the JAAS configuration created in step 2, then log in to that login context with the identity it asserts to. If the login is successful, that identity can be set in the current running process, as in the following example: 
MyCallbackHandler handler = new MyCallbackHandler(new MyPrincipal("Joe"));
LoginContext lc = new LoginContext("MyAppLoginConfig", handler);
lc.login();  //assume successful
Subject s = lc.getSubject();
WSSubject.setRunAsSubject(s);
// From here on, the runas identity is "Joe"