Using the SCA RequestContext.getSecuritySubject() API

The Service Component Architecture (SCA) Version 1.0 Java Common Annotations and APIs Specification RequestContext.getSecuritySubject() API programming interface returns a Java Authentication and Authorization (JAAS) subject that represents an authenticated user who accesses the protected SCA service.

Before you begin

Note: SCA service developers can use the RequestContext.getSecuritySubject() API to obtain a JAAS Subject that represents the requester.

If one or more of the following preconditions are not met the SCA request is not authenticated, and the RequestContext.getSecuritySubject API returns a null Subject:

About this task

When using the RequestContext.getSecuritySubject() API, perform the following steps:

Procedure

  1. Add an authentication intent or specify a PolicySet in the binding element of an SCA service composite file to enforce SCA request authentication, as shown in the following example. The following example uses the "authentication.transport" intent.
    <composite xmlns="http://www.osoa.org/xmlns/sca/1.0" 
               xmlns:dbsdo="http://tuscany.apache.org/xmlns/sca/databinding/sdo/1.0"
               xmlns:wsdli="http://www.w3.org/2004/08/wsdl-instance"
               xmlns:qos="http://www.ibm.com/xmlns/prod/websphere/sca/1.0/2007/06"
               name="EchoServiceWithIdentityWSComposite">
        <component name="EchoServiceWithIdentityWSComponent">
            <implementation.java class="test.ws.soa.sca.qos.policy.echoRelayServiceTest.echoService.EchoServiceWithIdentityComponentImpl"/>
            <service name="EchoService">
                <binding.ws uri="EchoServiceWithIdentity"
                    wsdlElement="http://echo#wsdl.port(EchoServiceWithIdentity/EchoServiceWithIdentitySoapPort)"
                    requires="authentication.transport" />
            </service>
        </component>
    </composite>  
  2. Specify the "WSHTTPS default" PolicySet in the SCA client composite file. A user name and password are configured for use in outbound requests of the "HTTP Transport" default PolicySet binding.
    The following example utilizes the RequestContext.getSecuritySubject API:
    import org.osoa.sca.annotations.Context;
    import org.osoa.sca.RequestContext;
    import javax.security.auth.Subject;
    import java.security.Principal;
    import java.util.Iterator;
    import com.ibm.websphere.security.cred.WSCredential;
    
    @Service(EchoService.class)
    public class EchoServiceWithIdentityComponentImpl implements EchoService
    {
        @Context
        protected RequestContext requestContext;
    
        public String echo_String(String input)
        {
            try {
    	      Subject subject = null;
    	      String securityName = null;
    
                if (requestContext != null) {
                    subject = requestContext.getSecuritySubject();
       	      }
    
                if (subject != null) {
                     java.util.Set principalSet = subject.getPrincipals();
                     if (principalSet != null && principalSet.size() > 0) {
                         Iterator principalIterator = principalSet.iterator();
                         if (principalIterator.hasNext()) {
                             Principal principal = (java.security.Principal) principalIterator.next();
                             securityName = principal.getName();
                         }
                     }
                }
    . . .
  3. The principal identity consists of a realm name followed by the identity of the requester as shown in the example below. WebSphere® Application Server is configured to use an Lightweight Directory Access Protocol (LDAP) server for authentication. The realm name is the LDAP server host name and the port number:
    security name = ldap1.austin.ibm.com:389/user2 
    You can obtain various security attributes of the request from the WSCredential object in the subject as shown in the following example:
    if (subject != null) {
        java.util.Set credSet = subject.getPublicCredentials();
        if (credSet != null && credSet.size() > 0)
        {
            Iterator credIterator = credSet.iterator();
            while (credIterator.hasNext()) {
                Object o = credIterator.next();
                WSCredential cred = null;
                if (o instanceof WSCredential) {
                    cred = (WSCredential) o;
                } else {
                    if (securityName == null) {
                        securityName = new StringBuffer();
                    }
                    securityName.append("\n>> Found a public credential: " + o.getClass().getName());
                }
                if (cred != null) {
                    if (securityName == null) {
                        securityName = new StringBuffer();
                    }
                    securityName.append("\n>> WSCredential security attributes . . .");
                    securityName.append("\n>> getAccessId = \t\t" + cred.getAccessId());
                    securityName.append("\n>> getGroupIds = \t\t" + cred.getGroupIds());
                    securityName.append("\n>> getPrimaryGroupId = \t\t" + cred.getPrimaryGroupId());
                    securityName.append("\n>> getRealmName = \t\t" + cred.getRealmName());
                    securityName.append("\n>> getRealmSecurityName = \t\t" + cred.getRealmSecurityName());
                    securityName.append("\n>> getRealmUniqueSecurityName = \t\t" + cred.getRealmUniqueSecurityName());
                    securityName.append("\n>> getSecurityName = \t\t" + cred.getSecurityName());
                    securityName.append("\n>> getUniqueSecurityName = \t\t" + cred.getUniqueSecurityName());
                } 
            }
        }
    }
    Sample output is shown below:
    >> WSCredential security attributes . . . 
    >> getAccessId = 			user:ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us 
    >> getGroupIds = 			[group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US] 
    >> getPrimaryGroupId = 		group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US 
    >> getRealmName = 		ldap1.austin.ibm.com:389 
    >> getRealmSecurityName = 	ldap1.austin.ibm.com:389/user2 
    >> getRealmUniqueSecurityName = ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us 
    >> getSecurityName = 		user2 
    >> getUniqueSecurityName = 	cn=user2,o=ibm,c=us



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 3:08:41 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-zos&topic=tsec_authsoa_requestapi
File name: tsec_authsoa_requestapi.html