使用缺省授权令牌来传播安全性属性
本主题说明 WebSphere® Application Server 如何使用缺省授权令牌。当您查找位置以添加将传播到下游的字符串属性时,考虑使用缺省授权令牌。
关于此任务
但是,请确保添加到授权令牌的属性特定于与认证的主体集关联的用户。如果这些属性不是特定于用户的,那么它们可能属于传播令牌(它也和请求一 起传播)。有关传播令牌的更多信息,请参阅使用缺省传播令牌来传播安全性属性。要将属性添加到授权令牌中,您必须将定制登录模块插入到配置的各种系统登录模块中。任何配置 com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule 实现的登录模块配置,可以接收传播的信息,而且可以生成可以向外发送到另一个服务器的传播信息。
如果在初始登录期间未将传播的属性提供给登录配置,那么在登录发生在 ltpaLoginModule 登录模块中后,会在 wsMapDefaultInboundLoginModule 登录模块中创建缺省授权令牌。可以使用 sharedState 散列映射从 login 方法获取对缺省授权令牌的引用。必须在 WebSphere Application Server 的 wsMapDefaultInboundLoginModule 实现后插入定制登录模块,才能查看授权令牌。
有关 Java™ 认证和授权服务 (JAAS) 编程模型的更多信息,请参阅“安全性:学习资源”一文。
过程
示例
以下示例显示从登录方法获取对缺省授权令牌的引用、将属性添加到令牌以及从用于授权的现有属性进行读取的完整任务。
public customLoginModule() { public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { // (For more information on initialization, see // 针对 JAAS 开发用于系统登录配置的定制登录模块.) // Get a reference to the sharedState map that is passed in during initialization. _sharedState = sharedState; } public boolean login() throws LoginException { // (For more information on what to do during login, see // 针对 JAAS 开发用于系统登录配置的定制登录模块.) // Look for the default AuthorizationToken in the shared state defaultAuthzToken = (com.ibm.wsspi.security.token.AuthorizationToken) sharedState.get (com.ibm.wsspi.security.auth.callback.Constants.WSAUTHZTOKEN_KEY); // Might not always have one of these generated. It depends on the login // configuration setup. if (defaultAuthzToken != null) { try { // Add a custom attribute defaultAuthzToken.addAttribute("key1", "value1"); // Determine all of the attributes and values that exist in the token. java.util.Enumeration listOfAttributes = defaultAuthorizationToken. getAttributeNames(); while (listOfAttributes.hasMoreElements()) { String key = (String) listOfAttributes.nextElement(); String[] values = (String[]) defaultAuthorizationToken.getAttributes (key); for (int i=0; i<values.length; i++) { System.out.println ("Key: " + key + ", Value[" + i + "]: " + values[i]); } } // Read the existing uniqueID attribute. String[] uniqueID = defaultAuthzToken.getAttributes (com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_UNIQUEID); // Getthe uniqueID from the String[] String unique_id = (uniqueID != null && uniqueID[0] != null) ? uniqueID[0] : ""; // Read the existing expiration attribute. String[] expiration = defaultAuthzToken.getAttributes (com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_EXPIRATION); // An example of getting a long expiration value from the string array. long expire_time = 0; if (expiration != null && expiration[0] != null) expire_time = Long.parseLong(expiration[0]); // Read the existing display name attribute. String[] securityName = defaultAuthzToken.getAttributes (com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_SECURITYNAME); // Get the display name from the String[] String display_name = (securityName != null && securityName[0] != null) ? securityName[0] : ""; // Read the existing long securityName attribute. String[] longSecurityName = defaultAuthzToken.getAttributes (com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_LONGSECURITYNAME); // Get the long security name from the String[] String long_security_name = (longSecurityName != null && longSecurityName[0] != null) ? longSecurityName[0] : ""; // Read the existing group attribute. String[] groupList = defaultAuthzToken.getAttributes (com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_GROUPS); // Get the groups from the String[] ArrayList groups = new ArrayList(); if (groupList != null) { for (int i=0; i<groupList.length; i++) { System.out.println ("group[" + i + "] = " + groupList[i]); groups.add(groupList[i]); } } } catch (Exception e) { throw new WSLoginFailedException (e.getMessage(), e); } } } public boolean commit() throws LoginException { // (For more information on what to do during commit, see // 针对 JAAS 开发用于系统登录配置的定制登录模块.) } private java.util.Map _sharedState = null; private com.ibm.wsspi.security.token.AuthorizationToken defaultAuthzToken = null; }.