By enabling identity assertion with trust validation, an
application can use the JAAS login configuration to perform a programmatic
identity assertion.
About this task
To enable an identity assertion with trust validation, follow
these steps:
Procedure
- Create a custom login module to perform a trust validation.
The login module must set trust and identity information in
the shared state, which is then passed on to the IdentityAssertionLoginModule.
The trust and identity information is stored in a map in the shared
state under the key, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state.
If this key is missing from the shared state, a WSLoginFailedException
error is thrown by the IdentityAssertionLoginModule module. The custom
login module should include the following:
- A trust key named com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trust.
If the trust key is set to true, trust is established. If
the trust key is set to false, the IdentityAssertionLoginModule
module creates a WSLoginFailedException error.
- The identity of the java.security.Principal type set in the com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal
key.
- The identity in the form of a java,security.cert.X509Certificate[]
certificate set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
key.
Note: If both a principal and a certificate are supplied, the
principal is used, and a warning is issued.
- Create a new Java Authentication
and Authorization Service (JAAS) configuration for application logins.
It contains the user-implemented trust validation custom login
module and the IdentityAssertionLoginModule module. To configure an
application login configuration from the administrative console, complete
the following steps:
- Click Security > Global security.
- Under Java Authentication
and Authorization Service, click Application logins > New.
- Supply the JAAS configuration with an alias, and then
click Apply.
- Under Additional properties, click JAAS Login Modules >
New.
- Enter the module class name of the user-implemented
trust validation custom login module, and then click Apply.
- Enter the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule
module class name.
- Make sure that the module class name classes are in
the correct order. The user-implemented trust validation login module
must be the first class in the list, and the IdentityAssertionLoginModule
module must be the second class.
- Click Save. The new JAAS configuration is used
by the application to perform an identity assertion.
What to do next
An application can now use the JAAS login configuration to
perform a programmatic identity assertion. The application can create
a login context for the JAAS configuration created in step 2, then
login to that login context with the identity it asserts to. If the
login is successful, that identity can be set in the current running
process, as in the following example:
MyCallbackHandler handler = new MyCallbackHandler(new MyPrincipal(“Joe”));
LoginContext lc = new LoginContext(“MyAppLoginConfig”, handler);
lc.login(); //assume successful
Subject s = lc.getSubject();
WSSubject.setRunAsSubject(s);
// From here on, the runas identity is “Joe”