使用缺省授权令牌来传播安全性属性

本主题说明 WebSphere® Application Server 如何使用缺省授权令牌。当您查找位置以添加将传播到下游的字符串属性时,考虑使用缺省授权令牌。

关于此任务

但是,请确保添加到授权令牌的属性特定于与认证的主体集关联的用户。如果这些属性不是特定于用户的,那么它们可能属于传播令牌(它也和请求一 起传播)。有关传播令牌的更多信息,请参阅使用缺省传播令牌来传播安全性属性。要将属性添加到授权令牌中,您必须将定制登录模块插入到配置的各种系统登录模块中。任何配置 com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule 实现的登录模块配置,可以接收传播的信息,而且可以生成可以向外发送到另一个服务器的传播信息。

如果在初始登录期间未将传播的属性提供给登录配置,那么在登录发生在 ltpaLoginModule 登录模块中后,会在 wsMapDefaultInboundLoginModule 登录模块中创建缺省授权令牌。可以使用 sharedState 散列映射从 login 方法获取对缺省授权令牌的引用。必须在 WebSphere Application Server 的 wsMapDefaultInboundLoginModule 实现后插入定制登录模块,才能查看授权令牌。

有关 Java™ 认证和授权服务 (JAAS) 编程模型的更多信息,请参阅“安全性:学习资源”一文。

过程

示例

以下示例显示从登录方法获取对缺省授权令牌的引用、将属性添加到令牌以及从用于授权的现有属性进行读取的完整任务。
public customLoginModule()
{
	public void initialize(Subject subject, CallbackHandler callbackHandler, 
          Map sharedState, Map options)
	{
     // (For more information on initialization, see
     // 针对 JAAS 开发用于系统登录配置的定制登录模块.)

				// Get a reference to the sharedState map that is passed in during initialization.
			_sharedState = sharedState;
	}

	public boolean login() throws LoginException 
	{
     // (For more information on what to do during login, see
     // 针对 JAAS 开发用于系统登录配置的定制登录模块.)

				// Look for the default AuthorizationToken in the shared state
				defaultAuthzToken  = (com.ibm.wsspi.security.token.AuthorizationToken) 
       sharedState.get 
										(com.ibm.wsspi.security.auth.callback.Constants.WSAUTHZTOKEN_KEY);

				// Might not always have one of these generated. It depends on the login 
     // configuration setup.
				if (defaultAuthzToken != null)
		{
			try
			{
								// Add a custom attribute
								defaultAuthzToken.addAttribute("key1", "value1");

								// Determine all of the attributes and values that exist in the token.
								java.util.Enumeration listOfAttributes = defaultAuthorizationToken.
              getAttributeNames();
				
								while (listOfAttributes.hasMoreElements())
				{
										String key = (String) listOfAttributes.nextElement();

										String[] values = (String[]) defaultAuthorizationToken.getAttributes (key);

								for (int i=0; i<values.length; i++)
					{
												System.out.println ("Key: " + key + ", Value[" + i + "]: " 
                  + values[i]);
					}
				}

								// Read the existing uniqueID attribute.
								String[] 	uniqueID = defaultAuthzToken.getAttributes 
											(com.ibm.wsspi.security.token.AttributeNameConstants.
               WSCREDENTIAL_UNIQUEID);

										// Getthe uniqueID from the String[]
										String unique_id = (uniqueID != null && 
                uniqueID[0] != null) ? uniqueID[0] : "";

								// Read the existing expiration attribute.
								String[] 	expiration = defaultAuthzToken.getAttributes 
											(com.ibm.wsspi.security.token.AttributeNameConstants.
               WSCREDENTIAL_EXPIRATION);

										// An example of getting a long expiration value from the string array.
										long expire_time = 0;
										if (expiration != null && expiration[0] != null) 
												expire_time = Long.parseLong(expiration[0]);

								// Read the existing display name attribute.
								String[] 	securityName = defaultAuthzToken.getAttributes 
											(com.ibm.wsspi.security.token.AttributeNameConstants.
               WSCREDENTIAL_SECURITYNAME);

										// Get the display name from the String[]
										String display_name = (securityName != null && 
                securityName[0] != null) ? securityName[0] : "";


								// Read the existing long securityName attribute.
								String[] 	longSecurityName = defaultAuthzToken.getAttributes 
										(com.ibm.wsspi.security.token.AttributeNameConstants.
             WSCREDENTIAL_LONGSECURITYNAME);

								// Get the long security name from the String[]
								String long_security_name = (longSecurityName != null && 
              longSecurityName[0] != null) ? longSecurityName[0] : "";


								// Read the existing group attribute.
								String[] 	groupList = defaultAuthzToken.getAttributes 
											(com.ibm.wsspi.security.token.AttributeNameConstants.
               WSCREDENTIAL_GROUPS);

								// Get the groups from the String[]
								ArrayList groups = new ArrayList();
								if (groupList != null)
				{
										for (int i=0; i<groupList.length; i++)
					{
												System.out.println ("group[" + i + "] = " + groupList[i]);
												groups.add(groupList[i]);
					}
				}
			}
			catch (Exception e)
			{
						throw new WSLoginFailedException (e.getMessage(), e);
			}
		}

	}

	public boolean commit() throws LoginException 
	{
				// (For more information on what to do during commit, see 
     // 针对 JAAS 开发用于系统登录配置的定制登录模块.)

	}

		private java.util.Map _sharedState = null;
		private com.ibm.wsspi.security.token.AuthorizationToken defaultAuthzToken = null;
}
.

指示主题类型的图标 任务主题



时间戳记图标 最近一次更新时间: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tsec_defauthtoken
文件名:tsec_defauthtoken.html