You can use the GenericSecurityTokenFactory APIs to pass
a SAML token that you have created to the SAMLGenerateLoginModule
or GenericIssuedTokenGenerateLoginModule modules. You can also use
these APIs to obtain SAML tokens that are consumed by SAMLConsumeLoginModule
or GenericIssuedTokenConsumeLoginModule modules.
About this task
In this task, you will stack a custom login module above
SAMLGenerateLoginModule for SAML token generation and one under SAMLConsumeLoginModule
for SAML token consumption.
Although you can stack a login module
under SAMLGenerateLoginModule to inspect a SAML token that has been
created by that class, you cannot modify the SAML token that is obtained
in this way unless the token does not contain a digital signature.
If you modify a SAML token that contains a digital signature, the
XML for the SAML token will be adjusted for your updates; but, because
the token was signed before you updated it, the signature validation
will fail on the receiver.
This task generates
a SAML 1.1 bearer token, but you can use any SAML version and type
that is supported by the runtime environment. For more information
about creating and modifying SAML tokens with the GenericSecurityTokenFactory
APIs, see Developing SAML applications. For more information
about how to place the token on the client's request context instead
of using a JAAS login module, see the com.ibm.wsspi.wssecurity.token.tokenHolder
and com.ibm.wsspi.wssecurity.token.enableCaptureTokenContext constants
in com.ibm.wsspi.wssecurity.core.Constants.
- Create the following generator JAAS login module and make
it available to your application code.
package test.tokens;
import java.util.ArrayList;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory;
import com.ibm.wsspi.wssecurity.saml.config.CredentialConfig;
import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute;
public class MySamlGenerator implements LoginModule {
private Map _sharedState;
private Map _options;
private CallbackHandler _handler;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
this._handler = callbackHandler;
this._sharedState = sharedState;
this._options = options;
}
public boolean login() throws LoginException {
GenericSecurityTokenFactory factory = null;
try {
factory = GenericSecurityTokenFactory.getInstance();
} catch (Exception e) {
throw new LoginException(e.toString());
}
if (factory == null) {
throw new LoginException("GenericSecurityTokenFactory.getInstance() returned null");
}
SAMLToken myToken = null;
try {
myToken = createSamlToken();
} catch (Exception e) {
throw new LoginException(e.toString());
}
if (myToken == null) {
throw new LoginException("myToken is null");
}
//Put the token in a list on the shared state where it will be available to be used by
//stacked login modules
factory.putGeneratorTokenToSharedState(_sharedState, myToken);
return true;
}
private SAMLToken createSamlToken() throws Exception {
//SAML Bearer example
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11);
RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig();
reqData.setAuthenticationMethod("Password"); //Authentication method for Assertion
ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("self-issue");
CredentialConfig cred = samlFactory.newCredentialConfig ();
cred.setRequesterNameID("Alice"); // SAML NameIdentifier
//Add some SAML attributes:
SAMLAttribute attribute = new SAMLAttribute
("email", new String[] {"joe@websphere"},null, "WebSphere", "email", "joe");
ArrayList<SAMLAttribute> al = new ArrayList<SAMLAttribute>();
al.add(attribute);
attribute = new SAMLAttribute("Membership",
new String[] {"Super users", "My team"}, null, null, null, null );
al.add(attribute);
cred.setSAMLAttributes(al);
SAMLToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
return samlToken;
}
public boolean logout() throws LoginException {
return false;
}
public boolean abort() throws LoginException {
return false;
}
public boolean commit() throws LoginException {
return true;
}
}
- Create the following consumer JAAS login module and make
it available to your application code.
package test.tokens;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import com.ibm.websphere.wssecurity.wssapi.token.GenericSecurityTokenFactory;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
public class MySamlConsumer implements LoginModule {
private Map _sharedState;
private Map _options;
private CallbackHandler _handler;
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
this._handler = callbackHandler;
this._sharedState = sharedState;
this._options = options;
}
public boolean login() throws LoginException {
GenericSecurityTokenFactory factory = null;
try {
factory = GenericSecurityTokenFactory.getInstance();
} catch (Exception e) {
throw new LoginException(e.toString());
}
if (factory == null) {
throw new LoginException("GenericSecurityTokenFactory.getInstance() returned null");
}
//Get the token that was consumed by the GenericIssuedConsumeLoginModule
SecurityToken myToken = factory.getConsumerTokenFromSharedState(_sharedState, new QName(SAMLTokenFactory.WssSamlV11Token11));
if (myToken == null) {
throw new LoginException("myToken is null");
}
if (myToken instanceof SAMLToken) {
//Examine the SAML token with SAML APIs
SAMLToken samlToken = (SAMLToken)myToken;
String id = samlToken.getSamlID();
String subjectDns = samlToken.getSubjectDNS();
//...
} else {
throw new LoginException("Did not receive a SAML token");
}
return true;
}
public boolean logout() throws LoginException {
return false;
}
public boolean abort() throws LoginException {
return false;
}
public boolean commit() throws LoginException {
return true;
}
}
- Create a JAAS login configuration.
- In the administrative console, go to .
- Under Authentication, go to .
- Create the SAML token generator.
- Click New, and under Alias, enter test.generate.saml.
- Under JAAS login modules, click New, and
under Module class name, enter test.tokens.MySamlGenerator.
Select Use login module proxy, and click OK.
- Click New, and under Module class name,
enter com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule.
Click OK.
- Create the SAML token consumer.
- Click JAAS - System logins in the breadcrumbs
at the top of the page to return to the JAAS system logins page.
- Click New, and under Alias, enter test.consume.saml.
- Under JAAS login modules, click New, and
under Module class name, enter com.ibm.ws.wssecurity.wssapi.token.impl.SAMLConsumeLoginModule.
Select Use login module proxy, and click OK.
- Click Save.
- Configure the SAML token generator to use the new JAAS
login configuration.
- In the administrative console, open the bindings configuration
that you want to change.
- Select .
- Under Authentication tokens, select the SAML outbound
token that you want to change.
- Under JAAS login, select test.generate.saml.
- Configure the SAML token consumer to use the new JAAS configuration.
- In the administrative console, open the bindings configuration
that you want to change.
- Select .
- Under Authentication tokens, select the SAML inbound
token that you want to change.
- Under JAAS login, select test.consume.saml.
- Click Save.
- Restart the application server to apply the JAAS configuration
changes.
- Test the service.