If you want an application or system provider to perform
an identity assertion with trust validation, it can be accomplished
by use of the Java Authentication and Authorization
Service (JAAS) login framework, where trust validation is performed
in one login module and credential creation in another. These two
custom login modules are used to create a JAAS login configuration
that performs a login to an identity assertion.
Two custom login module are required:
- A user-implemented trust association login module. This login
module performs whatever trust verification the user requires. When
trust is verified, the trust verification status and the login identity
must be placed in a map in the share state of the login module to
enable the credential creation login module to use that information.
The map must be stored in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state
property. State maps contain the following information:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
– set to true, if trusted, and false,
if not trusted.
- com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal
– contains the principal of the identity.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
– contains the certificate of the identity
- The com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule
module performs the credential creation. It requires that the trust
state information be in the login context's shared state. This
login module is protected by the Java 2
security runtime permissions for the following:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.initialize
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.login
IdentityAssertionLoginModule searches for the trust information
in the shared state property, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state.
This is a map that contains the trust status and the identity used
to login. The map includes the following:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
– if set to true it is trusted, false if
not trusted.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal
– if a principal is used, it contains the principal of the identity
necessary to login.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
– if a certificate is used, it contains an array of a certificate
chain that includes the identity necessary to login.
A WSLoginFailedException is returned if the state, trust, or identity
information is missing. The login module then performs a login of
the identity. The subject now contains the new identity.