Passing SAML tokens between JAAS login modules

The SAMLGenerateLoginModule can be used to obtain an application generated SAML token from a shared state object that is intialized in the application's JAAS login module. Additionally, the GenericIssuedTokenGenerateLoginModule can also be used to obtain an application generated SAML token from the shared state. For more information, read the Generating and consuming SAML tokens using stacked JAAS login modules topic.

About this task

The following procedure describes the setup that is required to use this functionality.

1. Save off the shared state object into a class variable in the initialize method of the JAAS login module.

   import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
   import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
   import com.ibm.wsspi.wssecurity.core.Constants;
   
   public class myLoginModule implements LoginModule {
   ...
     private Map _sharedState;
   ...
   public void initialize(Subject subject, 
          CallbackHandle rcallbackHandler, 
          Map<String, ?> sharedState, 
          Map<String, ?> options) {
   ...
      this._sharedState = sharedState;
   ...
     }     

2. Put the application generated SAMLToken on the sharedState object by using one of the following methods:
   1. • Create an ArrayList of SecurityToken and put the application generated SAMLToken as the only entry in this list. The WS-Security runtime loops through the list and uses only the first hit.
      • Put the ArrayList object in the _sharedState object with the key com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_TO_BE_INSERTED.

        com.ibm.wsspi.wssecurity.core.Constants.
        WSSECURITY_TOKEN_TO_BE_INSERTED
        
          public boolean login() throws LoginException {
        ...
            SAMLToken mySamlToken=someSAMLToken;
            ArrayList<SecurityToken> tokenList = 
                new ArrayList<SecurityToken>();
            tokenList.add(mySamlToken);
            _sharedState.put(
                Constants.WSSECURITY_TOKEN_TO_BE_INSERTED,
                tokenList);
        ...
          }

   2. Use the GenericSecurityTokenFactory.putGeneratorTokenToSharedState method to put the SAML token on the _sharedState object.

      import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
      
        public boolean login() throws LoginException {
      ...
        SAMLToken mySamlToken=someSAMLToken;
        GenericSecurityTokenFactory factory = GenericSecurityTokenFactory.getInstance();
        factory.putGeneratorTokenToSharedState(this._sharedState, mySamlToken);
      ...
        }