[AIX Solaris HP-UX Linux Windows][z/OS]

Using the SCA RequestContext.getSecuritySubject() API

The Service Component Architecture (SCA) RequestContext.getSecuritySubject() application programming interface returns a Java Authentication and Authorization (JAAS) subject that represents an authenticated user who accesses the protected SCA service.

Before you begin

SCA service developers can use the RequestContext.getSecuritySubject() API to obtain a JAAS Subject that represents the requester.

If one or more of the following preconditions are not met the SCA request is not authenticated, and the RequestContext.getSecuritySubject API returns a null Subject:

About this task

When using the RequestContext.getSecuritySubject() API, perform the following steps:

Procedure

  1. Use the RequestContext.getSecuritySubject API in your file.

    The following example utilizes the OSOA RequestContext.getSecuritySubject API:

    import org.osoa.sca.annotations.Context;
    import org.osoa.sca.annotations.Service;
    import org.osoa.sca.RequestContext;
    import javax.security.auth.Subject;
    import java.security.Principal;
    import java.util.Iterator;
    import com.ibm.websphere.security.cred.WSCredential;
    
    @Service(EchoService.class)
    public class EchoServiceWithIdentityComponentImpl implements EchoService
    {
        @Context
        protected RequestContext requestContext;
    
        public String echo_String(String input)
        {
            try {
    	           Subject subject = null;
    	           String securityName = null;
    
                if (requestContext != null) {
                    subject = requestContext.getSecuritySubject();
       	         }
    
                if (subject != null) {
                     java.util.Set principalSet = subject.getPrincipals();
                     if (principalSet != null && principalSet.size() > 0) {
                         Iterator principalIterator = principalSet.iterator();
                         if (principalIterator.hasNext()) {
                             Principal principal = (java.security.Principal) principalIterator.next();
                             securityName = principal.getName();
                         }
                     }
                }
             } catch (Exception ex) {
                   // Handle exception
             }
         }
    }
    The same example applies to using the OASIS RequestContext.getSecuritySubject API with the exception of package name changes:
    import org.oasisopen.sca.annotation.Context;
    import org.oasisopen.sca.annotation.Service;
    import org.oasisopen.sca.RequestContext;
  2. You can obtain various security attributes of the request from the WSCredential object in the subject as shown in the following example:
    if (subject != null) {
        java.util.Set credSet = subject.getPublicCredentials();
        if (credSet != null && credSet.size() > 0)
        {
            Iterator credIterator = credSet.iterator();
            while (credIterator.hasNext()) {
                Object o = credIterator.next();
                WSCredential cred = null;
                if (o instanceof WSCredential) {
                    cred = (WSCredential) o;
                } else {
                    if (securityName == null) {
                        securityName = new StringBuffer();
                    }
                    securityName.append("\n>> Found a public credential: " + o.getClass().getName());
                }
                if (cred != null) {
                    if (securityName == null) {
                        securityName = new StringBuffer();
                    }
                    securityName.append("\n>> WSCredential security attributes . . .");
                    securityName.append("\n>> getAccessId = \t\t" + cred.getAccessId());
                    securityName.append("\n>> getGroupIds = \t\t" + cred.getGroupIds());
                    securityName.append("\n>> getPrimaryGroupId = \t\t" + cred.getPrimaryGroupId());
                    securityName.append("\n>> getRealmName = \t\t" + cred.getRealmName());
                    securityName.append("\n>> getRealmSecurityName = \t\t" + cred.getRealmSecurityName());
                    securityName.append("\n>> getRealmUniqueSecurityName = \t\t" + cred.getRealmUniqueSecurityName());
                    securityName.append("\n>> getSecurityName = \t\t" + cred.getSecurityName());
                    securityName.append("\n>> getUniqueSecurityName = \t\t" + cred.getUniqueSecurityName());
                } 
            }
        }
    }
    The principal identity consists of a realm name followed by the identity of the requester. For example, assume WebSphere® Application Server is configured to use an Lightweight Directory Access Protocol (LDAP) server for authentication. The realm name is the LDAP server host name and the port number:
    security name = ldap1.austin.ibm.com:389/user2 
    Sample output is shown below:
    >> WSCredential security attributes . . . 
    >> getAccessId = 			user:ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us 
    >> getGroupIds = 			[group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US] 
    >> getPrimaryGroupId = 		group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US 
    >> getRealmName = 		ldap1.austin.ibm.com:389 
    >> getRealmSecurityName = 	ldap1.austin.ibm.com:389/user2 
    >> getRealmUniqueSecurityName = ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us 
    >> getSecurityName = 		user2 
    >> getUniqueSecurityName = 	cn=user2,o=ibm,c=us
Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 20, 2014 08:46 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=tsec_authsoa_requestapi
File name: tsec_authsoa_requestapi.html