Running the Security Identity Propagation sample

To run the Security Identity Propagation sample, you put each of the sample messages through the appropriate transport input node on the main Security Identity Propagation message flows. You can run the sample to learn what happens in the following situations:

For more information, see About the Security Identity Propagation sample.

If you encounter any problems when you run the sample, see Resolving problems when running samples in the WebSphere Message Broker documentation.

Running the sample with a WebSphere MQ message that contains a user identity token in the message MQMD header

The MQMD message header in WebSphere MQ messages provides the following pieces of information to the security system in the broker:

To run the sample with the WebSphere MQ message that contains a user identity token in the MQMD header:

  1. In the Broker Development view, expand the SecurityIdentitySampleFlowProject project. Expand the Flow Tests directory and double-click Security_Identity_MQ_ID.mbtest to open the file in the Test Client.
  2. Click Enqueue on the message flow test events toolbar. Note that the XML message does not contain any elements in the message body.
  3. Expand Header in the Detailed Properties section. Note that the Message Header selected is Send Identity. If you switch to the Configuration tab in the Test Client, and select MQ Message Header "Send Identity", you can view the details of the header. These details include mqmdUID as the User id, and Test Client as the Put application name.
  4. On the Events tab, click Send Message. The message is put to the SECURITYIDFROMMQIN queue.
  5. Look at the results:

Running the sample with a WebSphere MQ message that contains identity credentials in the message body

To overcome the restriction that the WebSphere MQ MQMD can provide only the issuer and user identity token, an additional MQInput node is provided. This node is configured to extract a full set of security credentials from fields within the message body.

To run the sample with the WebSphere MQ message that contains a user identity token in the message body:

  1. In the Broker Development view, expand the SecurityIdentitySampleFlowProject project. Expand the Flow Tests directory and double-click Security_Identity_MSG_ID.mbtest to open the file in the Test Client.
  2. Click Enqueue. Note that the message contains elements in the Body.MessageIdentity folder, which defines the following Identity credentials:
  3. Expand Header in the Detailed Properties section. Note that the Message Header selected is Default Header. If you switch to the Configuration tab in the Test Client, and select MQ Message Header "Default Header", you can view the details of the header. The User id and Put application name are blank.
  4. On the Events tab, click Send Message. The message is put to the SECURITYIDFROMMSGIN queue.
  5. Look at the results:

Running the sample with a WebSphere MQ message that requests a mapped identity to be set

When working with WebSphere MQ messages that contain only the user name and issuer, it is often necessary to invoke a federated identity mapping on the credentials. The credentials can then be mapped into a form that is suitable for invoking a service request, for example, that requires a username and password. Typically, an external federated identity manager is invoked to perform this operation. This sample provides a simple solution in which a Compute node is used to map the incoming identity, so that the following security credentials are created:

To run the sample with the WebSphere MQ input message that contains a request to set the mapped identity based on the username passed in the MQMD of the message:

  1. In the Broker Development view, expand the SecurityIdentitySampleFlowProject project. Expand the Flow Tests directory and double-click Security_Identity_Mapped.mbtest to open the file in the Test Client.
  2. Click Enqueue. Note that the message contains the Body.MapIdentity element. The presence of this element in the message causes the ESQL in the SecurityIdentitySampleFlow message flow to set the mapped Identity credentials as described above.
  3. Expand Header in the Detailed Properties section. Note that the Message Header selected is Send Identity. If you switch to the Configuration tab in the Test Client, and select MQ Message Header "Send Identity", you can view the details of the header. These details include TESTUSER as the User id, and BRKTSTCLNT as the Put application name.
  4. On the Events tab, click Send Message. The message is put to the SECURITYIDFROMMQIN queue.
  5. Look at the results:

Running the sample with a HTTP request message

The HTTP transport allows for security credentials like user name and password to be passed in the HTTP header. A Java application has been provided, to run the sample with an HTTP request message that contains a user identity and password token in the HTTP Basic Authentication header. The Java application enables you to submit the contents of a text file, including a username and password, to the Sample Message Flow HTTP Input.

The sample program has the following arguments:

java BasicAuthHttpPost
<URLHost> <URLPort> <URLPathSuffix> <XML file>
[<UserId> <Password> ] 

Where the arguments are:

To run the sample with a HTTP request message:

  1. In the WebSphere Message Broker Toolkit, switch to the Java perspective.
  2. In the Package Explorer view, expand the package com.ibm.wmb.sample.httpClient by expanding the SecurityIdentitySampleApplicationProject project.
  3. Right-click HttpPostFileWithBAuth.java under com.ibm.wmb.sample.httpClient and select Run As > Run Configurations to open the Run Configurations wizard.
  4. Double-click Java Application in the left tree view and select the configuration called HttpPostFileWithBAuth.
  5. In the Main tab, ensure Project is set to SecurityIdentitySampleApplicationProject.
  6. Ensure that Main class is set to com.ibm.wmb.sample.httpClient.HttpPostFileWithBAuth.
  7. Switch to the Arguments tab in the Run wizard, and enter the following in Program Arguments:

    On Windows:

    localhost 7080 /Security/IdentityFromHttp
    Messages\Simple.xml HttpUserName HttpPassword 
    On Linux or Unix:
    localhost 7080 /Security/IdentityFromHttp
    Messages/Simple.xml HttpUserName HttpPassword 
  8. You have created the Run Configuration.
    Start the application to send the HTTP request to the sample by clicking Run. Look at the results:

Back to sample home