With a server application, the application acts as the
request
consumer, and the response generator is deployed and runs in the Java Platform,
Enterprise Edition (Java EE)
container. The consumer component
for Web Services Security stores the security tokens that it receives
in the Java Authentication
and Authorization Service (JAAS) Subject of the current thread. You
can retrieve
the security tokens from the JAAS Subject that is maintained as a
local thread
in the container.
About this task
This information
applies only to Java API for XML-based RPC (JAX-RPC)
Web
services.
The security handlers are responsible
for
propagating security tokens. These security tokens are embedded in
the SOAP
security header and passed to downstream servers. The security tokens
are
encapsulated in the implementation classes for the com.ibm.wsspi.wssecurity.auth.token.Token
interface. You can retrieve the security token data from either a
server application
or a client application.
Complete the following
steps
to retrieve the security token data from a server application:
Procedure
- Obtain the JAAS Subject of the current thread using the
WSSubject
utility class. If
you enable Java 2 Security on the Global security
panel in the
administrative console, access to the JAAS Subject is denied if the
application
code is not granted the javax.security.auth.AuthPermission("wssecurity.getCallerAsSubject")
permission. The following code sample shows how to obtain the JAAS
subject:
javax.security.auth.Subject subj;
try {
subj = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();
} catch (com.ibm.websphere.security.WSSecurityException e) {
…
}
- Obtain a set of private credentials from the Subject.
For
more information, see the application programming interface (API)
com.ibm.websphere.security.auth.WSSubject
class through the information center . To access this information
within the
information center, click Reference > Developer > API Documentation >
Application Programming Interfaces. In the Application Programming
Interfaces
article, click com.ibm.websphere.security.auth > WSSubject.
Attention: When Java 2
Security is enabled, you might need
to use the AccessController class to avoid a security violation that
is caused
by operating the security objects in the Java EE
container.
The following
code sample shows how to set the AccessController class and obtain
the private
credentials:
Set s = (Set) AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return subj.getPrivateCredentials();
}
});
- Search the targeting token class
in the private credentials. You can search the targeting
token class by using the java.util.Iterator
interface. The following example shows how to retrieve a username
token with
a certain token ID value in the security header. You can also use
other method
calls to retrieve security tokens. For more information, see the application
programming interface (API) documents for the com.ibm.wsspi.wssecurity.auth.token.Token
interface or custom token classes.
com.ibm.wsspi.wssecurity.auth.token.UsernameToken unt;
Iterator it = s.iterator();
while (it.hasNext()) {
Object obj = it.next();
if (obj != null &&
obj instanceOf com.ibm.wsspi.wssecurity.auth.token.UsernameToken) {
unt =(com.ibm.wsspi.wssecurity.auth.token.UsernameToken) obj;
if (unt.getId().equals(“…”)) break;
else continue;
}
}
Results
After completing these steps,
you have retrieved the security tokens
from the JAAS Subject in a server application