Getting the caller subject from the thread for JAAS
The Caller subject (or received subject
) contains
the user authentication information that is used in the call for this
request. This subject is returned after issuing the WSSubject.getCallerSubject
application programming interface (API) to prevent replacing existing
objects. The subject is marked read-only. This API can be used to
get access to the WSCredential credential so that you can put or set
data in the hashmap within the credential.
Before you begin
You need the following Java™ 2
security permissions to run this API: permission javax.security.auth.AuthPermission wssecurity.getCallerSubject
;.
If you use the Kerberos authentication mechanism, the KDC policy enables Kerberos delegation and the client has a forwardable Kerberos ticket, the subject has the client Kerberos tickets and the GSS delegate credential. You can use APIs to access the Kerberos tickets and the GSS delegate credential.
About this task
Most data within the subject is not propagated downstream to another server. Only the credential token within the WSCredential credential is propagated downstream and a new caller subject is generated.
Procedure
Example
try { javax.security.auth.Subject caller_subject; com.ibm.websphere.security.cred.WSCredential caller_cred;
caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();
if (caller_subject != null) { caller_cred = caller_subject.getPublicCredentials
(com.ibm.websphere.security.cred.WSCredential.class).iterator().next();
String CALLERDATA = (String) caller_cred.get ("MYKEY");
System.out.println("My data from the Caller credential is: " + CALLERDATA); } }
catch (WSSecurityException e) { // log error } catch (Exception e) { // log error }