com.ibm.wsspi.security.token

Class WSSecurityPropagationHelper

  • java.lang.Object
    • com.ibm.wsspi.security.token.WSSecurityPropagationHelper


  • public class WSSecurityPropagationHelper
    extends java.lang.Object
    This class provides some propagation helper methods including whether propagation is enabled or not.
    Since:
    5.1.1
    Version:
    5.1.1
    • Field Detail

      • rmiInboundPropagationEnabled

        public static boolean rmiInboundPropagationEnabled
      • rmiOutboundPropagationEnabled

        public static boolean rmiOutboundPropagationEnabled
      • webInboundPropagationEnabled

        public static boolean webInboundPropagationEnabled
    • Method Detail

      • isRMIInboundPropagationEnabled

        public boolean isRMIInboundPropagationEnabled()

        This method returns whether this server advertises that it accepts inbound propagation logins. It is typically used in inbound login configurations to determine whether to do something propagation related.

        Returns:
        boolean
      • isRMIOutboundPropagationEnabled

        public boolean isRMIOutboundPropagationEnabled()

        This method returns whether this server will propagate security attributes outbound provided the target server supports propagation. It is typically used in outbound login configurations to determine whether to do something propagation related.

        Returns:
        boolean
      • isWebInboundPropagationEnabled

        public boolean isWebInboundPropagationEnabled()

        This method returns whether this server, when receiving an SSO token, will try to go to the originating server to get propagated security attributes. When disabled, the server will login with the LTPA token as it did in previous releases. When enabled, the Subject created will be the serialized version from the originating server based on information in the SSO token.

        Returns:
        boolean
      • getPropagationToken

        public static PropagationToken getPropagationToken(java.lang.String name,
                                           int version)
                                                    throws com.ibm.websphere.security.WSSecurityException

        This method gets the propagation token on the current thread of execution based upon a specific key. The default PropagationToken has the following key: com.ibm.wsspi.security.token.AttributeNameConstants.WSPROPTOKEN_KEY_V1 For a custom PropagationToken implementation, you must know the token name and version and create the key in the format getPropagationToken("name:version"); The Propagation Token feature must be enabled for this to return a token. The token interface that is returned is com.ibm.wsspi.security.token.PropagationToken. If the originating caller is UNAUTHENTICATED, this API will return null until an authenticated caller is found in the Subject. The attributes one might be interested in are: com.ibm.wsspi.security.token.AttributeNameConstants.WSPROP_CALLERS com.ibm.wsspi.security.token.AttributeNameConstants.WSPROP_HOSTS WSPROP_CALLERS will return a | delimited string of callers with the first in the list being the originating caller. Any additional callers listed are due to context switches from a J2EE runAs or JAAS doAs change. Example: realm/user1|realm/user2 WSPROP_HOSTS will return a | delimited string of hosts with the first in the list being the originating host. Each subsequent host the invocation lands on will be logged here. Example: Cell:Node1:Server1|Cell:Node2:Server1 Note: Custom attributes may be added to the propagation token but the codebase must have the proper Java 2 Security permissions to do so.

        Parameters:
        name - java.lang.String
        version - int
        Returns:
        com.ibm.wsspi.security.token.PropagationToken
        Throws:
        com.ibm.websphere.security.WSSecurityException
      • addPropagationToken

        public static PropagationToken addPropagationToken(PropagationToken token)
                                                    throws com.ibm.websphere.security.WSSecurityException
        Throws:
        com.ibm.websphere.security.WSSecurityException
      • validateLTPAToken

        public static java.lang.String validateLTPAToken(byte[] token)
                                                  throws com.ibm.websphere.security.auth.WSLoginFailedException
        Throws:
        com.ibm.websphere.security.auth.WSLoginFailedException
      • validateToken

        public static ValidationResult validateToken(byte[] token)
                                              throws com.ibm.websphere.security.auth.ValidationFailedException
        Throws:
        com.ibm.websphere.security.auth.ValidationFailedException
      • validateToken

        public static ValidationResult validateToken(byte[] token,
                                     boolean validateRealm)
                                              throws com.ibm.websphere.security.auth.ValidationFailedException

        This method validates an LTPA token and will return a ValidationResult object. additionally when the boolean in argument validateRealm is true, the realm in the token is validated to make sure it is this process realm or one that is trusted. If the token cannot be validated or is expired, a WSLoginFailedException will be thrown. uniqueid.

        Parameters:
        byte[] - (LtpaToken or LtpaToken2)
        Returns:
        String WebSphere uniqueID
        Throws:
        com.ibm.websphere.security.auth.WSLoginFailedException
        com.ibm.websphere.security.auth.ValidationFailedException
        See Also:
        (uniqueID), (uniqueID)

      • validateTokenRealm

        public static void validateTokenRealm(byte[] token)
                                       throws com.ibm.websphere.security.auth.ValidationFailedException
        Throws:
        com.ibm.websphere.security.auth.ValidationFailedException
      • getUserFromUniqueID

        public static java.lang.String getUserFromUniqueID(java.lang.String uniqueID)

        This method accepts the uniqueID returned from the validateLTPAToken method. You can also use this method to parse the uniqueID returned from the UserRegistry.getUniqueUserId (uid) method. It returns the unique userid portion of this string. For an LDAP registry, this is the DN. For a LocalOS registry, this is the LocalOS unique identifier.

        Parameters:
        String - WebSphere uniqueID
        Returns:
        String registry uniqueID
      • getRealmFromUniqueID

        public static java.lang.String getRealmFromUniqueID(java.lang.String uniqueID)

        This method accepts the uniqueID returned from the validateLTPAToken method. It returns the realm portion of this string. The realm can be used to determine where the token came from.

        Parameters:
        String - WebSphere uniqueID
        Returns:
        String registry realm
IBM WebSphere Application ServerTM
Release 8.5