You can dynamically pass a username and password to the
Kerberos token generator, KRBGenerateLoginModule, when using WSSAPIs.
However, if you must use policy sets and bindings, you cannot dynamically
pass a username and password to the Kerberos token generator in a
standard configuration because both the callback handler and the username
and password in the callback handler are fixed values. Dynamic Kerberos
tokens can be created using policy sets and bindings if a custom JAAS
login module is used.
Before you begin
If you create a custom JAAS login module or add a UsernameToken
to the client's request context, you can customize the username and
password that the Kerberos token generator uses when requesting the
Kerberos ticket.
About this task
The GenericSecurityTokenFactory provides a SPI that you
can use to create a token that KRBGenerateLoginModule can use to customize
the username and password that is used when requesting the Kerberos
ticket.
The following procedure shows how to use the stacked
JAAS login module method to customize the username and password that
KRBGenerateLoginModule will use when creating a Kerberos token. You
can accomplish the same results by placing the UsernameToken, that
is created in this procedure, on the client's request context. You
can only create a dynamic Kerberos token from a UsernameToken that
you create. You cannot create a dynamic Kerberos token from a Kerberos
ticket. For more information on how to place the token on the client's
request context. refer to the following constants in com.ibm.wsspi.wssecurity.core.Constants:
- com.ibm.wsspi.wssecurity.token.tokenHolder
- com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext
Procedure
- Create a custom JAAS login module.
package test.tokens;
import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
public class MyKrbCustomLoginModule implements LoginModule {
//For the sake of readability, this login module does not
//protect against all NPE's
private Map _sharedState;
private Map _options;
private CallbackHandler _handler;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
this._handler = callbackHandler;
this._sharedState = sharedState;
this._options = options;
}
public boolean login() throws LoginException {
GenericSecurityTokenFactory factory = null;
try {
factory = GenericSecurityTokenFactory.getInstance();
} catch (Exception e) {
throw new LoginException(e.toString());
}
UsernameToken unt = factory.getSimpleUsernameToken("username", "password".toCharArray());
factory.putGeneratorTokenToSharedState(this._sharedState, unt);
return true;
}
//implement the rest of the methods required by the
//LoginModule interface
}
- Create a new JAAS login configuration.
- In the administrative console, select Security->Global
security.
- Under Authentication, select Java Authentication
and Authorization Service.
- Select System logins.
- Create the generator with the custom module first.
- Click New, and then specify Alias
= test.generate.krb.
- Click New, and then specifyModule
class name = test.tokens.MyKrbCustomLoginModule.
- Select Use login module proxy .
- Click OK.
- Click New, and then select Module
class name = com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.
- Click New, and then select Module
class name = com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule.
- Click OK.
- Click JAAS - System logins.
- Configure your Kerberos token generator to use the new
JAAS configuration.
- Open your bindings configuration that you want to change.
In the administrative console, select WS-Security
> Authentication and protection.
- Under Authentication tokens, select the Kerberos outbound
Token that you want to change.
- Select JAAS login = test.generate.krb.
- Click Save.
- Restart the application server to apply the JAAS configuration
changes.
- Test your service.