If you want an application or system provider to perform an identity
assertion with trust validation, it can be accomplished by use of the Java™ Authentication
and Authorization Service (JAAS) login framework, where trust validation is
performed in one login module and credential creation in another. These two
custom login modules are used to create a JAAS login configuration that performs
a login to an identity assertion.
Two custom login module are required:
- A user-implemented trust association login module. This login module performs
whatever trust verification the user requires. When trust is verified, the
trust verification status and the login identity must be placed in a map in
the share state of the login module to enable the credential creation login
module to use that information. The map must be stored in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state
property. State maps contain the following information:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
– set to true, if trusted, and false, if not trusted.
- com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal
– contains the principal of the identity.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
– contains the certificate of the identity
- The com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule
module performs the credential creation. It requires that the trust state
information be in the login context’s shared state. This login module is protected
by the Java 2 security runtime permissions for the following:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.initialize
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.login
IdentityAssertionLoginModule searches for the trust information in the
shared state property, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state.
This is a map that contains the trust status and the identity used to login.
The map includes the following:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
– if set to true it is trusted, false if not trusted.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal
– if a principal is used, it contains the principal of the identity necessary
to login.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
– if a certificate is used, it contains an array of a certificate chain that
includes the identity necessary to login.
A WSLoginFailedException is returned if the state, trust, or identity information
is missing. The login module then performs a login of the identity. The subject
now contains the new identity.