Using the Java Authentication
and Authorization Service (JAAS) login framework, you can create a
JAAS login configuration that can be used to perform login to an identity
assertion.
Before you begin
You can allow an application or system provider to perform
an identity assertion with trust validation. To do this, you use the
JAAS login framework, where trust validation is accomplished in one
login module and credential creation is accomplished in another module.
The two custom login modules allow you to create a JAAS login configuration
that can be used to perform a login to an identity assertion.
Two
custom login modules are required:
- User implemented trust association login module (trust validation)
- The user implemented trust association login module performs whatever
trust verification the user requires. When trust is verified, the
trust verification status and the login identity should be put into
a map in the share state of the login module so that the credential
creation login module can use the information. This map should be
stored in the property:
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state
(which consists of)
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
(which is set to true if trusted and false if not trusted)
com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal
(which contains the principal of the identity)
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
(which contains the certificate of the identity)
- Identity assertion login module (credential creation)
- The com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule
performs the credential creation. This module relies on the trust
state information being in the login context’s shared state. This
login module is protected by the Java 2
security runtime permissions for:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.initialize
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.login
The identity assertion login module looks for the trust information
in the shared state property, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state,
which contains the trust status and the identity to login and should
include:
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted
(which when true indicates trusted and false when not trusted)
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal
(which contains the principal of the identity to login, if using a principal)
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
(which contains a array of a certificate chain that contains the identity to login,
if using a certificate)
A WSLoginFailedException
is returned if the state, trust, or identity information is missing.
The login module then performs a login of the identity, and the subject
will contain the new identity
Procedure
- Delegate trust validation to a user implemented plug point. Trust validation must be accomplished in a custom login module.
This custom login module should perform any trust validation required,
then set the trust and identity information in the shared state to
be passed on to the identity assertion login module. A map is required
in the shared state key, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state.
If the state is missing then a WSLoginFailedException is thrown by
the IdentityAssertionLoginModule. This map must include:
- A trust key called com.ibm.wsspi.secuirty.common.auth.module.IdentityAssertionLoginModule.trust.
If the key is set to true, then trust is established.
If the key is set to false, then no trust is established.
If the trust key is not set to true, then the IdentityAssertionLoginModule
will throw a WSLoginFailedException.
- • An identity key is set: A java.security.Principal can be
set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal
key.
- Or a java.security.cert.X509Certificate[] can be set in the
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certficates
key
If both a principal and certificate are supplied, then the principal
is used and a warning is issued.
- Create a new JAAS configuration for application logins The JAAS configuration will contain the user implemented trust
validation custom login module and the IdentityAssertionLoginModule.
Then to configure an application login configuration, perform the
following on the administration console:
- Expand Security > Global security.
- Expand Java authentication
and authorization services > Application logins
- Select New.
- Give the JAAS configuration an alias.
- Click Apply.
- Select JAAS Login Modules
- Select New.
- Enter the Module class name of the user implemented
trust validation custom login module.
- Click Apply.
- Enter the Module class name of com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule
- Make sure the Module class name classes are in
the correct order. The user implemented trust validation login module
should be first and the IdentityAssertionLoginModule should be the
second class in the list.
- Click Save.
This JAAS configuration is then used by the application to perform
an Identity Assertion.
- Perform the programmable identity assertion. A
program can now use the JAAS login configuration to perform a programmatic
identity assertion. The application program can create a login context
for the JAAS configuration created in step 2, then login to that login
context with the identity they would assert to. If the login is successful
then that identity can be set in the current running process. Here
is a example of how such code would operate:
MyCallbackHandler handler = new MyCallbackHandler(new MyPrincipal(“Joe”));
LoginContext lc = new LoginContext(“MyAppLoginConfig”, handler);
lc.login(); //assume successful
Subject s = lc.getSubject();
WSSubject.setRunAsSubject(s);
// From here on , the runas identity is “Joe”
Results
Using the JAAS login framework and two user implemented login
modules, you can create a JAAS login configuration that can be used
to perform login to an identity assertion.