With a server application,
the application acts as the
request consumer, and the response generator is deployed and runs
in the Java™ Platform, Enterprise Edition (Java EE) container. The consumer component for
Web Services Security stores the security tokens that it receives
in the Java Authentication and Authorization Service
(JAAS) Subject of the current thread. You can retrieve the security
tokens from the JAAS Subject that is maintained as a local thread
in the container.
About this task
This information applies only to Java API
for XML-based Web Services (JAX-WS).
The security handlers are
responsible for propagating security tokens. These security tokens
are embedded in the SOAP security header and passed to downstream
servers. The security tokens are encapsulated in the implementation
classes for the com.ibm.wsspi.wssecurity.auth.token.Token interface.
You can retrieve the security token data from either a server application
or a client application.
Complete the following steps to retrieve
the security token data from a server application:
Procedure
- Obtain the JAAS Subject of the current thread using the
WSSubject API. If you enable Java 2 Security on the Global security panel in the administrative console,
access to the JAAS Subject is denied if the application code is not granted the
javax.security.auth.AuthPermission("wssecurity.getCallerSubject") permission. The following code
sample shows how to obtain the JAAS
subject:
javax.security.auth.Subject subject;
try {
subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();
} catch (com.ibm.websphere.security.WSSecurityException e) {
…
}
- Obtain a set of private credentials
from the Subject. For more information, see the application
programming interface
(API) com.ibm.websphere.security.auth.WSSubject class through the
information center . To access this information within the information
center, click Reference > Developer > API Documentation >
Application Programming Interfaces. In the Application Programming
Interfaces article, click com.ibm.websphere.security.auth >
WSSubject.
Attention: When Java 2
Security is enabled, you might need to use the AccessController class
to avoid a security violation that is caused by operating the security
objects in the Java EE container.
The following code sample shows how to set the AccessController class and obtain the private
credentials:
Set s = (Set) AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return subj.getPrivateCredentials();
}
});
- Search the targeting token class
in the private credentials. You can search the targeting token class by using the java.util.Iterator interface. The
following example shows how to retrieve a username token with a certain token ID value in the
security header. You can also use other method calls to retrieve security tokens. For more
information, see the application programming interface (API) documents for the
com.ibm.wsspi.wssecurity.auth.token.Token interface or custom token
classes.
com.ibm.wsspi.wssecurity.auth.token.UsernameToken unt;
Iterator it = s.iterator();
while (it.hasNext()) {
Object obj = it.next();
if (obj != null &&
obj instanceOf com.ibm.wsspi.wssecurity.auth.token.UsernameToken) {
unt =(com.ibm.wsspi.wssecurity.auth.token.UsernameToken) obj;
if (unt.getId().equals(“…”)) break;
else continue;
}
}
Results
After completing these steps,
you have retrieved the security
tokens from the JAAS Subject in a server application.