The
ServerAuthModule
implementation class
must define the
initialize
,
validateRequest
,
and
secureResponse
public methods:
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.module.ServerAuthModule;
public class SampleAuthModule implements ServerAuthModule {
public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, Map options)
throws AuthException {
...
}
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)
throws AuthException {
...
}
public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject)
throws AuthException {
...
}
public void cleanSubject(MessageInfo messageInfo, Subject subject)
throws AuthException {
...
}
}
The initialize
method in the ServerAuthModule
implementation
class is called by the ServerAuthContext
implementation
class to initialize the authentication
module and
to associate it with the ServerAuthContext
instance.
The
validateRequest
and
secureResponse
methods
in this class are used to authenticate the
javax.servlet.http.HttpServletRequest
and
javax.servlet.http.HttpServletResponse
contained
in the
javax.security.auth.message.MessageInfo
that
is received. These methods can use the
CallbackHandler
instance
that is received in the
initialize
method to interact
with the WebSphere security
run time to validate a user password, and the active user registry
to retrieve a unique id and group membership for a user. The retrieved
data is placed in a
Hashtable
in the set of private
credentials in the client subject. The WebSphere Application Server implementation
of the
CallbackHandler
supports the following three
callbacks:
- CallerPrincipalCallback
- GroupPrincipalCallback
- PasswordValidationCallback
WebSphere Application
Server expects the name values obtained with PasswordValidationCallback.getUsername()
and CallerPrincipalCallback.getName()
to
be identical. If they are not, unpredictable results occur. The handle()
method
of the CallbackHandler
processes each callback that
is given in the argument array of the method sequentially. Therefore,
the name value set in the private credentials of the client subject
is the one obtained from the last callback processed.
If CallbackHandler
is not used by the authentication module, and validateRequest returns
a successful status, WebSphere Application
Server requires that a
Hashtable
instance be included
in the
clientSubject
with user identity information
so that a custom login can be performed to obtain the credentials
for the user. This
Hashtable
can be added to the
client subject as in the following example:
import java.util.Hashtable;
import java.util.String;
import javax.security.auth.Subject;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import com.ibm.wsspi.security.registry.RegistryHelper;
import com.ibm.wsspi.security.token.AttributeNameConstants.AttributeNameConstants;
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)
throws AuthException {
...
UserRegistry reg = RegistryHelper.getUserRegistry(null);
String uniqueid = reg.getUniqueUserID(username);
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, username);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_PASSWORD, password);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groupList); //optional
clientSubject.getPrivateCredentials().add(hashtable);
...
}
For more information about the Hashtable
requirements
and custom login, see Developing JAAS custom login modules
for a system login configuration.