WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Enabling identity assertion with trust validation

Why and when to perform this task

To enable an identity assertion with trust validation, follow these steps:

Steps for this task

  1. Create a custom login module to perform a trust validation. The login module must set trust and identity information in the shared state, which is then passed on to the IdentityAssertionLoginModule. The trust and identity information is stored in a map in the shared state under the key, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state. If this key is missing from the shared state, a WSLoginFailedException error is thrown by the IdentityAssertionLoginModule module. The custom login module should include the following:
    • a trust key named com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trust. If the trust key is set to true, trust is established. If the trust key is set to false, the IdentityAssertionLoginModule module throws a WSLoginFailedException error.
    • the identity of the java.security.Principal type set in the com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal key.
    • the identity in the form of a java,security.cert.X509Certificate[] certificate set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates key.
    Note: If both a principal and a certificate are supplied, the principal is used, and a warning is issued.
  2. Create a new Java Authentication and Authorization Service (JAAS) configuration for application logins. It contains the user-implemented trust validation custom login module and the IdentityAssertionLoginModule module. To configure an application login configuration from the administrative console, do the following:
    1. Click Global Security -> JAAS Configurations -> Application Logins.
    2. Click New.
    3. Supply the JAAS configuration with an alias, and then click Apply.
    4. Click JAAS Login Modules and then New.
    5. Enter the module class name of the user-implemented trust validation custom login module, and then click Apply.
    6. Enter the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule module class name.
    7. Make sure that the module class name classes are in the correct order. The user-implemented trust validation login module must be the first class in the list, and the IdentityAssertionLoginModule module must be the second class.
    8. Click Save. The new JAAS configuration is used by the application to perform an identity assertion.

What to do next

An application can now use the JAAS login configuration to perform a programmatic identity assertion. The application can create a login context for the JAAS configuration created in step 2, then login to that login context with the identity it asserts to. If the login is successful, that identity can be set in the current running process, as in the following example:

MyCallbackHandler handler = new MyCallbackHandler(new MyPrincipal(“Joe”));
LoginContext lc = new LoginContext(“MyAppLoginConfig”, handler);
lc.login(); //assume successful
Subject s = lc.getSubject();
WSSubject.setRunAsSubject(s);
// From here on, the runas identity is “Joe”




Related concepts
Identity assertions with trust validation

Task topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_identity_assert.html

© Copyright IBM Corporation 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)