開發系統登入配置的 JAAS 自訂登入模組
Liberty 伺服器有多個「Java™ 鑑別和授權服務 (JAAS)」外掛點可用來配置系統登入。Liberty 利用系統登入配置來鑑別送入要求。 您可以開發自訂 JAAS 登入模組來新增資訊到系統登入配置的 Subject 中。
關於這項作業
Servlet 應用程式呼叫應用程式登入配置來取得基於特定鑑別資訊的「主體」。 當您撰寫外掛在 Liberty 應用程式登入或系統登入配置中的登入模組時,您必須開發知道資訊何時存在,且知道如何使用這個資訊的登入配置邏輯。 請參閱JAAS 配置和JAAS 登入模組,以取得詳細資料。
如果要開發系統登入配置的 JAAS 自訂登入模組,請遵循程序中的步驟:
程序
- 瞭解可用的回呼及其運作方式。
請參閱 JAAS程式化登入,以取得可用的回呼的相關資訊。
註: Liberty 只支援下列回呼:callbacks[0] = new javax.security.auth.callback.NameCallback("Username: "); callbacks[1] = new javax.security.auth.callback.PasswordCallback("Password: ", false); callbacks[2] = new com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl("Credential Token: "); callbacks[3] = new com.ibm.websphere.security.auth.callback.WSServletRequestCallback("HttpServletRequest: ") callbacks[4] = new com.ibm.websphere.security.auth.callback.WSServletResponseCallback("HttpServletResponse: "); callbacks[5] = new com.ibm.websphere.security.auth.callback.WSAppContextCallback("ApplicationContextCallback: "); callbacks[6] = new WSRealmNameCallbackImpl("Realm Name: ", default_realm); callbacks[7] = new WSX509CertificateChainCallback("X509Certificate[]: "); callbacks[8] = wsAuthMechOidCallback = new WSAuthMechOidCallbackImpl("AuthMechOid: ");
- 瞭解共用狀態變數及其運作方式。 如果您想要存取 WebSphere® Application Server WebSphere Application Server 傳統版 在登入期間所建立的物件,請參閱下列共用狀態變數。 如需這些變數的相關資訊,請參閱程式設計介面的「系統程式設計介面」子主題。
- com.ibm.wsspi.security.auth.callback.Constants.WSPRINCIPAL_KEY
- 指定 java.security.Principal 介面的已實作物件。 這個共用狀態變數僅供唯讀。 請勿在自訂登入模組的共用狀態中設定這個變數。 預設登入模組會設定這個變數。
- com.ibm.wsspi.security.auth.callback.Constants.WSCREDENTIAL_KEY
- 指定 com.ibm.websphere.security.cred.WSCredential 物件。 這個共用狀態變數僅供唯讀。 請勿在自訂登入模組的共用狀態中設定這個變數。 預設登入模組會設定這個變數。
- com.ibm.wsspi.security.auth.callback.Constants.WSSSOTOKEN_KEY
- 指定 com.ibm.wsspi.security.token.SingleSignonToken 物件。 請勿在自訂登入模組的共用狀態中設定這個變數。 預設登入模組會設定這個變數。
- 選擇性的: 瞭解 Liberty 中自訂 JAAS 登入模組的雜湊表。如果需要詳細資訊,請參閱雜湊表登入模組。
- 利用回呼和共用狀態來開發範例自訂登入模組。
您可以使用下列範例來學習如何使用某些回呼及共用狀態變數。
public class CustomCallbackLoginModule implements LoginModule { protected Map<String, ?> _sharedState; protected Subject _subject = null; protected CallbackHandler _callbackHandler; private final String customPrivateCredential = "CustomLoginModuleCredential"; /** * Initialization of login module */ public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { _sharedState = sharedState; _subject = subject; _callbackHandler = callbackHandler; } public boolean login() throws LoginException { try { AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { public Object run() throws Exception { _subject.getPrivateCredentials().add(customPrivateCredential); return null; } }); } catch (PrivilegedActionException e) { throw new LoginException(e.getLocalizedMessage()); } String username = null; char passwordChar[] = null; byte[] credToken = null; HttpServletRequest request = null; HttpServletResponse response = null; Map appContext = null; String realm = null; String authMechOid = null; java.security.cert.X509Certificate[] certChain = null; NameCallback nameCallback = null; PasswordCallback passwordCallback = null; WSCredTokenCallbackImpl wsCredTokenCallback = null; WSServletRequestCallback wsServletRequestCallback = null; WSServletResponseCallback wsServletResponseCallback = null; WSAppContextCallback wsAppContextCallback = null; WSRealmNameCallbackImpl wsRealmNameCallback = null; WSX509CertificateChainCallback wsX509CertificateCallback = null; WSAuthMechOidCallbackImpl wsAuthMechOidCallback = null; Callback[] callbacks = new Callback[9]; callbacks[0] = nameCallback = new NameCallback("Username: "); callbacks[1] = passwordCallback = new PasswordCallback("Password: ", false); callbacks[2] = wsCredTokenCallback = new WSCredTokenCallbackImpl("Credential Token: "); callbacks[3] = wsServletRequestCallback = new WSServletRequestCallback("HttpServletRequest: "); callbacks[4] = wsServletResponseCallback = new WSServletResponseCallback("HttpServletResponse: "); callbacks[5] = wsAppContextCallback = new WSAppContextCallback("ApplicationContextCallback: "); callbacks[6] = wsRealmNameCallback = new WSRealmNameCallbackImpl("Realm name:"); callbacks[7] = wsX509CertificateCallback = new WSX509CertificateChainCallback("X509Certificate[]: "); callbacks[8] = wsAuthMechOidCallback = new WSAuthMechOidCallbackImpl("AuthMechOid: "); try { _callbackHandler.handle(callbacks); } catch (Exception e) { // handle exception } if (nameCallback != null) username = nameCallback.getName(); if (passwordCallback != null) passwordChar = passwordCallback.getPassword(); if (wsCredTokenCallback != null) credToken = wsCredTokenCallback.getCredToken(); if (wsServletRequestCallback != null) request = wsServletRequestCallback.getHttpServletRequest(); if (wsServletResponseCallback != null) response = wsServletResponseCallback.getHttpServletResponse(); if (wsAppContextCallback != null) appContext = wsAppContextCallback.getContext(); if (wsRealmNameCallback != null) realm = wsRealmNameCallback.getRealmName(); if (wsX509CertificateCallback != null) certChain = wsX509CertificateCallback.getX509CertificateChain(); if (wsAuthMechOidCallback != null) authMechOid = wsAuthMechOidCallback.getAuthMechOid(); _subject.getPrivateCredentials().add("username = " + username); _subject.getPrivateCredentials().add("password = " + String.valueOf(passwordChar)); _subject.getPrivateCredentials().add("realm = " + realm); _subject.getPrivateCredentials().add("authMechOid = " + authMechOid.toString()); return true; } public boolean commit() throws LoginException { return true; } public boolean abort() { return true; } public boolean logout() { return true; } }
- 選擇性的: 利用雜湊表登入來開發範例自訂登入模組。
您可以使用下列範例來學習如何使用雜湊表登入。
package com.ibm.websphere.security.sample; import java.util.Map; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import com.ibm.wsspi.security.token.AttributeNameConstants; /** * Custom login module that adds another PublicCredential to the subject */ @SuppressWarnings("unchecked") public class CustomHashtableLoginModule implements LoginModule { protected Map<String, ?> _sharedState; protected Map<String, ?> _options; /** * Initialization of login module */ public void initialize( Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { _sharedState = sharedState; _options = options; } public boolean login() throws LoginException { try { java.util.Hashtable<String, Object> customProperties = (java.util.Hashtable<String, Object>) _sharedState.get(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY); if (customProperties == null) { customProperties = new java.util.Hashtable<String, Object>(); } customProperties.put(AttributeNameConstants.WSCREDENTIAL_USERID, "userId"); // Sample of creating custom cache key customProperties.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, "customCacheKey"); /* * Sample for creating user ID and security name * customProperties.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, "userId"); * customProperties.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, "securityName"); * customProperties.put(AttributeNameConstants.WSCREDENTIAL_REALM, "realm"); * customProperties.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, "groupList"); */ /* * Sample for creating user ID and password * customProperties.put(AttributeNameConstants.WSCREDENTIAL_USERID, "userId"); * customProperties.put(AttributeNameConstants.WSCREDENTIAL_PASSWORD, "password"); */ Map<String, java.util.Hashtable> mySharedState = (Map<String, java.util.Hashtable>) _sharedState; mySharedState.put(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY, customProperties); } catch (Exception e) { throw new LoginException("LoginException: " + e.getMessage()); } return true; } public boolean commit() throws LoginException { return true; } public boolean abort() { return true; } public boolean logout() { return true; } }
下一步
將自訂登入模組新增到 server.xml 檔的 WEB_INBOUND 和 DEFAULT 等「Java 鑑別和授權服務 (JAAS)」系統登入配置中。 請將自訂登入模組類別放在 JAR 檔中,例如 customLoginModule.jar,然後將這個 JAR 檔提供給 Liberty 伺服器。請參閱 配置 Liberty 的 JAAS 自訂登入模組。
上層主題: 開發 Liberty 安全基礎架構延伸
相關工作:

檔名:twlp_dev_custom_jaas.html