Use this topic as an example
of how to perform programmatic
login using the CORBA-based programmatic login APIs.
Before you begin
This document
outlines the deprecated Common Object Request Broker Architecture
(CORBA) programmatic login APIs and the alternatives that are provided
by JAAS. WebSphere® Application Server fully supports
the Java Authentication and Authorization Service
(JAAS) as programmatic login application programming interfaces (API).
See Configuring programmatic logins for Java Authentication and Authorization Service and Developing programmatic logins with the Java Authentication and Authorization Service for more details on JAAS
support.
The following list includes
the deprecated CORBA programmatic login APIs.
- profile_root/installedApps/sampleApp.ear/default_app.war/WEB-INF/classes/ServerSideAuthenticator.java.
- org.omg.SecurityLevel2.Credentials.
This API is included with the product, but it is not recommended that
you use the API.
The APIs that are provided in WebSphere Application
Server are a combination of standard JAAS APIs and a product implementation
of standard JAAS interfaces.
The following
information is only a summary; refer to the JAAS documentation for
your platform located at: http://www.ibm.com/developerworks/java/jdk/security/ .
- javax.security.Subject:
- com.ibm.websphere.security.auth.WSSubject
- An extension provided by the product to invoke remote J2EE resources
using the credentials in the javax.security.Subject
- com.ibm.websphere.security.cred.WSCredential
- After a successful JAAS login with the WebSphere Application
Server LoginModules interfaces, a com.ibm.websphere.security.cred.WSCredential
credential is created and stored in the Subject.
- com.ibm.websphere.security.auth.WSPrincipal
- An authenticated
principal that is created and stored in a Subject
that is authenticated by the WebSphere Application Server
LoginModules interface.
- Use
the following as an example of how to perform programmatic login using
the CORBA-based programmatic login APIs: The CORBA-based
programmatic login APIs are replaced by JAAS login.
Note: The
LoginHelper application programming interface (API) that is used in
the following example is deprecated in WebSphere Application
Server Version 8.0 and will
be removed in a future release. It is recommended that you use the
JAAS programmatic login APIs that are shown in the next step.
public class TestClient {
...
private void performLogin() {
// Get the ID and password of the user.
String userid = customGetUserid();
String password = customGetPassword();
// Create a new security context to hold authentication data.
LoginHelper loginHelper = new LoginHelper();
try {
// Provide the ID and password of the user for authentication.
org.omg.SecurityLevel2.Credentials credentials =
loginHelper.login(userid, password);
// Use the new credentials for all future invocations.
loginHelper.setInvocationCredentials(credentials);
// Retrieve the name of the user from the credentials
// so we can tell the user that login succeeded.
String username = loginHelper.getUserName(credentials);
System.out.println("Security context set for user: "+username);
} catch (org.omg.SecurityLevel2.LoginFailed e) {
// Handle the LoginFailed exception.
}
}
...
}
- Use the following example
to migrate the CORBA-based programmatic
login APIs to the JAAS programmatic login APIs.
The following example assumes that the application
code is granted for the required Java 2
security permissions. For more information, see Configuring programmatic logins for Java Authentication and Authorization Service, Protecting system resources and APIs (Java 2 security) for developing applications, and the JAAS
documentation located at http://www.ibm.com/developerworks/java/jdk/security/.
public class TestClient {
...
private void performLogin() {
// Create a new JAAS LoginContext.
javax.security.auth.login.LoginContext lc = null;
try {
// Use GUI prompt to gather the BasicAuth data.
lc = new javax.security.auth.login.LoginContext("WSLogin",
new com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl());
// create a LoginContext and specify a CallbackHandler implementation
// CallbackHandler implementation determine how authentication data is collected
// in this case, the authentication date is collected by login prompt
// and pass to the authentication mechanism implemented by the LoginModule.
} catch (javax.security.auth.login.LoginException e) {
System.err.println("ERROR: failed to instantiate a LoginContext and the exception: "
+ e.getMessage());
e.printStackTrace();
// may be javax.security.auth.AuthPermission "createLoginContext" is not granted
// to the application, or the JAAS Login Configuration is not defined.
}
if (lc != null)
try {
lc.login(); // perform login
javax.security.auth.Subject s = lc.getSubject();
// get the authenticated subject
// Invoke a J2EE resources using the authenticated subject
com.ibm.websphere.security.auth.WSSubject.doAs(s,
new java.security.PrivilegedAction() {
public Object run() {
try {
bankAccount.deposit(100.00); // where bankAccount is an protected EJB
} catch (Exception e) {
System.out.println("ERROR: error while accessing EJB resource, exception: "
+ e.getMessage());
e.printStackTrace();
}
return null;
}
}
);
// Retrieve the name of the principal from the Subject
// so we can tell the user that login succeeded,
// should only be one WSPrincipal.
java.util.Set ps =
s.getPrincipals(com.ibm.websphere.security.auth.WSPrincipal.class);
java.util.Iterator it = ps.iterator();
while (it.hasNext()) {
com.ibm.websphere.security.auth.WSPrincipal p =
(com.ibm.websphere.security.auth.WSPrincipal) it.next();
System.out.println("Principal: " + p.getName());
}
} catch (javax.security.auth.login.LoginException e) {
System.err.println("ERROR: login failed with exception: " + e.getMessage());
e.printStackTrace();
// login failed, might want to provide relogin logic
}
}
...
}