为系统登录配置开发 JAAS 定制登录模块
对于 Liberty 服务器,存在多个用于配置系统登录的 Java™ 认证和授权服务 (JAAS) 插件点。Liberty 使用系统登录配置来认证入局请求。可以开发定制 JAAS 登录模块以将信息添加到系统登录配置的 Subject。
关于此任务
servlet 应用程序调用应用程序登录配置来获取基于特定认证信息的主体集。如果编写插入 Liberty 应用程序登录或系统登录配置中的登录模块,那么必须开发登录配置逻辑以了解特定信息的存在时间及其用法。有关更多详细信息,请参阅 JAAS 配置和 JAAS 登录模块。
要为系统登录配置开发 JAAS 定制登录模块,请遵循下列过程中的步骤:
过程
- 了解可用回调及其工作原理。
有关可用回调的更多信息,请参阅 JAAS 的程序化登录。
注: Liberty 仅支持下列回调:callbacks[0] = new javax.security.auth.callback.NameCallback("Username: "); callbacks[1] = new javax.security.auth.callback.PasswordCallback("Password: ", false); callbacks[2] = new com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl("Credential Token: "); callbacks[3] = new com.ibm.websphere.security.auth.callback.WSServletRequestCallback("HttpServletRequest: ") callbacks[4] = new com.ibm.websphere.security.auth.callback.WSServletResponseCallback("HttpServletResponse: "); callbacks[5] = new com.ibm.websphere.security.auth.callback.WSAppContextCallback("ApplicationContextCallback: "); callbacks[6] = new WSRealmNameCallbackImpl("Realm Name: ", default_realm); callbacks[7] = new WSX509CertificateChainCallback("X509Certificate[]: "); callbacks[8] = wsAuthMechOidCallback = new WSAuthMechOidCallbackImpl("AuthMechOid: ");
- 了解共享状态变量及其工作原理。 如果要访问 WebSphere® Application Server WebSphere Application Server 传统版 在登录期间创建的对象,请参阅下列共享状态变量。有关这些变量的更多信息,请参阅编程接口的“系统编程接口”子主题。
- com.ibm.wsspi.security.auth.callback.Constants.WSPRINCIPAL_KEY
- 指定 java.security.Principal 接口的已实现对象。此共享状态变量适用于只读用途。不要在定制登录模块的共享状态中设置此变量。缺省登录模块会设置此变量。
- com.ibm.wsspi.security.auth.callback.Constants.WSCREDENTIAL_KEY
- 指定 com.ibm.websphere.security.cred.WSCredential 对象。此共享状态变量适用于只读用途。不要在定制登录模块的共享状态中设置此变量。缺省登录模块将设置此变量。
- com.ibm.wsspi.security.auth.callback.Constants.WSSSOTOKEN_KEY
- 指定 com.ibm.wsspi.security.token.SingleSignonToken 对象。不要在定制登录模块的共享状态中设置此变量。缺省登录模块会设置此变量。
- 可选: 了解 Liberty 中定制 JAAS 登录模块的散列表。请参阅散列表登录模块,以了解更多详细信息。
- 开发使用回调和共享状态的样本定制登录模块。
可以使用以下样本来了解如何使用某些回调和共享状态变量。
public class CustomCallbackLoginModule implements LoginModule { protected Map<String, ?> _sharedState; protected Subject _subject = null; protected CallbackHandler _callbackHandler; private final String customPrivateCredential = "CustomLoginModuleCredential"; /** * Initialization of login module */ public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { _sharedState = sharedState; _subject = subject; _callbackHandler = callbackHandler; } public boolean login() throws LoginException { try { AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { public Object run() throws Exception { _subject.getPrivateCredentials().add(customPrivateCredential); return null; } }); } catch (PrivilegedActionException e) { throw new LoginException(e.getLocalizedMessage()); } String username = null; char passwordChar[] = null; byte[] credToken = null; HttpServletRequest request = null; HttpServletResponse response = null; Map appContext = null; String realm = null; String authMechOid = null; java.security.cert.X509Certificate[] certChain = null; NameCallback nameCallback = null; PasswordCallback passwordCallback = null; WSCredTokenCallbackImpl wsCredTokenCallback = null; WSServletRequestCallback wsServletRequestCallback = null; WSServletResponseCallback wsServletResponseCallback = null; WSAppContextCallback wsAppContextCallback = null; WSRealmNameCallbackImpl wsRealmNameCallback = null; WSX509CertificateChainCallback wsX509CertificateCallback = null; WSAuthMechOidCallbackImpl wsAuthMechOidCallback = null; Callback[] callbacks = new Callback[9]; callbacks[0] = nameCallback = new NameCallback("Username: "); callbacks[1] = passwordCallback = new PasswordCallback("Password: ", false); callbacks[2] = wsCredTokenCallback = new WSCredTokenCallbackImpl("Credential Token: "); callbacks[3] = wsServletRequestCallback = new WSServletRequestCallback("HttpServletRequest: "); callbacks[4] = wsServletResponseCallback = new WSServletResponseCallback("HttpServletResponse: "); callbacks[5] = wsAppContextCallback = new WSAppContextCallback("ApplicationContextCallback: "); callbacks[6] = wsRealmNameCallback = new WSRealmNameCallbackImpl("Realm name:"); callbacks[7] = wsX509CertificateCallback = new WSX509CertificateChainCallback("X509Certificate[]: "); callbacks[8] = wsAuthMechOidCallback = new WSAuthMechOidCallbackImpl("AuthMechOid: "); try { _callbackHandler.handle(callbacks); } catch (Exception e) { // handle exception } if (nameCallback != null) username = nameCallback.getName(); if (passwordCallback != null) passwordChar = passwordCallback.getPassword(); if (wsCredTokenCallback != null) credToken = wsCredTokenCallback.getCredToken(); if (wsServletRequestCallback != null) request = wsServletRequestCallback.getHttpServletRequest(); if (wsServletResponseCallback != null) response = wsServletResponseCallback.getHttpServletResponse(); if (wsAppContextCallback != null) appContext = wsAppContextCallback.getContext(); if (wsRealmNameCallback != null) realm = wsRealmNameCallback.getRealmName(); if (wsX509CertificateCallback != null) certChain = wsX509CertificateCallback.getX509CertificateChain(); if (wsAuthMechOidCallback != null) authMechOid = wsAuthMechOidCallback.getAuthMechOid(); _subject.getPrivateCredentials().add("username = " + username); _subject.getPrivateCredentials().add("password = " + String.valueOf(passwordChar)); _subject.getPrivateCredentials().add("realm = " + realm); _subject.getPrivateCredentials().add("authMechOid = " + authMechOid.toString()); return true; } public boolean commit() throws LoginException { return true; } public boolean abort() { return true; } public boolean logout() { return true; } }
- 可选: 开发使用散列表登录的样本定制登录模块。
可以使用以下样本来了解如何使用散列表登录。
package com.ibm.websphere.security.sample; import java.util.Map; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import com.ibm.wsspi.security.token.AttributeNameConstants; /** * Custom login module that adds another PublicCredential to the subject */ @SuppressWarnings("unchecked") public class CustomHashtableLoginModule implements LoginModule { protected Map<String, ?> _sharedState; protected Map<String, ?> _options; /** * Initialization of login module */ public void initialize( Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { _sharedState = sharedState; _options = options; } public boolean login() throws LoginException { try { java.util.Hashtable<String, Object> customProperties = (java.util.Hashtable<String, Object>) _sharedState.get(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY); if (customProperties == null) { customProperties = new java.util.Hashtable<String, Object>(); } customProperties.put(AttributeNameConstants.WSCREDENTIAL_USERID, "userId"); // Sample of creating custom cache key customProperties.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, "customCacheKey"); /* * Sample for creating user ID and security name * customProperties.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, "userId"); * customProperties.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, "securityName"); * customProperties.put(AttributeNameConstants.WSCREDENTIAL_REALM, "realm"); * customProperties.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, "groupList"); */ /* * Sample for creating user ID and password * customProperties.put(AttributeNameConstants.WSCREDENTIAL_USERID, "userId"); * customProperties.put(AttributeNameConstants.WSCREDENTIAL_PASSWORD, "password"); */ Map<String, java.util.Hashtable> mySharedState = (Map<String, java.util.Hashtable>) _sharedState; mySharedState.put(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY, customProperties); } catch (Exception e) { throw new LoginException("LoginException: " + e.getMessage()); } return true; } public boolean commit() throws LoginException { return true; } public boolean abort() { return true; } public boolean logout() { return true; } }
下一步做什么
将定制登录模块添加到 server.xml 文件的 WEB_INBOUND 和缺省 Java 认证和授权服务 (JAAS) 系统登录配置。将定制登录模块类放到 JAR 文件(例如 customLoginModule.jar)中,然后向 Liberty 服务器提供该 JAR 文件。请参阅为 Liberty 配置 JAAS 定制登录模块。
相关任务:


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-libcore-mp&topic=twlp_dev_custom_jaas
文件名:twlp_dev_custom_jaas.html