InfoCenter Home >
5: Securing applications -- special topics >
5.2: Introduction to custom registries >
5.2.2: Implementing the CustomRegistry interface >
5.2.2.2: Writing the sample application >
5.2.2.2.10: The mapCertificate and checkPassword methods

5.2.2.2.10: The mapCertificate and checkPassword methods

The mapCertificate and checkPassword methods allow users to be authenticated against the custom registry. Both methods return a user name, which is typically the name of the authenticated user. In some cases, however, it is desirable to authenticate a user but return a different valid user name. For example, consider a Web site that offers users different services depending on their subscription level. When a user enters the site, he or she is prompted for login information, which is used to authenticate the user and determine the subscription level. All users at one subscription level can then be assigned the same user name, and users at another subscription level can be assigned a different one. Because authorization is based on the subscription level rather than a user's identity, and there are fewer subscription levels than individual users, this approach simplifies the authorization procedures for the application.

The mapCertificate method takes a X.509 certificate as an argument and returns a valid user name as the return value. Typically, the certificate holder's name is extracted from the certificate, authenticated against the registry, and returned. WebSphere Application Server expects the method to throw the CertificateMapNotSupportedException exception if the registry does not support mapping to certificates, to throw the CertificateMapFailedException is expected if the certficate does not represent a valid user in the registry, and to throw the CustomRegistryException exception for any other conditions.

Figure 15 shows the implementation of the mapCertificate method for the example registry. The method extracts the user name from the certificate and returns it.

Figure 15. Code example: The mapCertificate method in the FileRegistrySample class

public String mapCertificate(X509Certificate cert)
throws CertificateMapNotSupportedException,
CertificateMapFailedException,
CustomRegistryException
{
String name=null;
try {
// Extract the SubjectDN from the certificate.
name = cert.getSubjectDN().getName();
}
catch(Exception ex) {
throw new CertificateMapNotSupportedException(ex.getMessage());
}
// Determine if the SubjectDN represents a valid user.
if(!isValidUser(name)) {
throw new CertificateMapFailedException(name);
}
return name;
}

The checkPassword method verifies that the password submitted for a user name matches the password recorded in the registry for that user. WebSphere Application Server expects the method to throw the PasswordCheckFailedException exception if the supplied password does not match the recorded password and to throw the CustomRegistryException exception for any other conditions.

Figure 16 shows the implementation of the checkPassword method for the example registry. The method locates the entry for the user in the user-information file and matches the supplied password againt the value of the password field. If the passwords do not match, the PasswordCheckFailedException exception is thrown; otherwise, the method returns the name of the authenticated user.

Figure 16. Code example: The checkPassword method in the FileRegistrySample class

public String checkPassword(String userId, String passwd)
throws PasswordCheckFailedException, CustomRegistryException
{
String s, userName = null;
BufferedReader in = null;

try {
in = fileOpen(USERFILENAME);

while ((s=in.readLine())!=null)
{
if (!s.startsWith("#")) {
int index = s.indexOf(":");
int index1 = s.indexOf(":",index+1);

// Check existence of the username/password pair.
 if ((s.substring(0,index)).equals(userId) &&
s.substring(index+1,index1).equals(passwd)) {
// The username and password match the registry,
// so authentication succeeds.
userName = userId;
break;
}
}
}
}
catch(Exception ex) {
throw new CustomRegistryException(ex.getMessage());
}
finally {
fileClose(in);
}

if (userName == null)
{
throw new PasswordCheckFailedException(userId);
}

 return userName;
}

Go to previous article: The getUniqueUserIds and getUniqueGroupIds methods Go to next article: Building and configuring the sample user registry application

 

 
Go to previous article: The getUniqueUserIds and getUniqueGroupIds methods Go to next article: Building and configuring the sample user registry application