J2C principal mapping modules
You can develop your own J2EE Connector (J2C) mapping module if your application requires more sophisticated mapping functions. The mapping login module that you might have developed on WebSphere® Application Server Version 5.x is still supported in WebSphere Application Server Version 6.0.x and later.
You can use the Version 5.x login modules in the connection factory mapping configuration. These login modules can also be used in the reference mapping configuration for the resource manager connection factory. A version 5.x mapping login module is not able to use the custom mapping properties.
If you want to develop a new mapping login module in Version 6.0.x and later, use the programming interface that is described in the following sections.
Invoking the login module for the resource reference mapping
A com.ibm.wsspi.security.auth.callback.WSMappingCallbackHandler class, which implements the javax.security.auth.callback.CallbackHandler interface, is a new WebSphere Application Service Provider Programming Interface (SPI) in WebSphere Application Server Version 6.0.x.
package com.ibm.wsspi.security.auth.callback; public class WSMappingCallbackHandlerFactory { private WSMappingCallbackHandlerFactory; public static CallbackHandler getMappingCallbackHandler( ManagedConnectionFactory mcf, HashMap mappingProperties); }
package com.ibm.wsspi.security.auth.callback; public class WSMappingCallbackHandler implements CallbackHandler { public WSMappingCallbackHandler(ManagedConnectionFactory mcf, HashMap mappingProperties); public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException; }
com.ibm.wsspi.security.auth.callback.WSManagedConnectionFactoryCallback com.ibm.wsspi.security.auth.callback.WSMappingPropertiesCallback
The new login modules use the two callback types that are used at the reference mapping configuration for the resource manager connection factory. The WSManagedConnectionFactoryCallback callback provides a ManagedConnectionFactory instance that you set in the PasswordCredential credential. With this setting, the ManagedConnectionFactory instance can determine whether a PasswordCredential instance is used for signon to the target Enterprise Information Systems (EIS) instance. The WSMappingPropertiesCallback callback provides a hash map that contains custom mapping properties. The com.ibm.mapping.authDataAlias property can be used to reserve or to retrieve the Authentication Data Alias.
com.ibm.ws.security.auth.j2c.WSManagedConnectionFactoryCallback com.ibm.ws.security.auth.j2c.WSAuthDataAliasCallback
Invoking the login module for the connection factory mapping
com.ibm.wsspi.security.auth.callback.WSManagedConnectionFactoryCallback com.ibm.wsspi.security.auth.callback.WSMappingPropertiesCallback
The WSPrincipalMappingCallbackHandler handler and the two callbacks are deprecated in WebSphere Application Server Version 6.
Passing the mapping properties for the resource reference to the mapping login module
You can pass arbitrary custom properties to your mapping login module. The following example shows how the WebSphere Application Server default mapping login module looks for the authentication data alias property.
try { wspm_callbackHandler.handle(callbacks); String userID = null; String password = null; String alias = null; wspm_properties = ((WSMappingPropertiesCallback)callbacks[1]).getProperties(); if (wspm_properties != null) { alias = (String) wspm_properties.get(com.ibm.wsspi.security.auth.callback. Constants.MAPPING_ALIAS); if (alias != null) { alias = alias.trim(); } } } catch (UnsupportedCallbackException unsupportedcallbackexception) { . . . // error handling
The default mapping login module for WebSphere Application Server Version 6.0.x requires one mapping property to define the authentication data alias. The mapping property, which is called MAPPING_ALIAS, is defined in the Constants.class file in the com.ibm.wsspi.security.auth.callback package.
When you click
on the Map resource references to resources panel, the administrative console automatically creates a MAPPING_ALIAS entry with the selected authentication data alias value in the mapping properties. If you create your own custom login configuration and then use the default mapping login module, you must set this property manually on the mapping properties for the resource factory reference.In a custom login module, you can use the WSSubject.getRunAsSubject method to retrieve the
subject that represents the identity of the current running thread. The identity of the current
running thread is known as the RunAs
identity. The RunAs subject typically contains
a WSPrincipal principal in the principal set and a WSCredential credential in the public credential
set. The subject instance that is created by your mapping module contains a Principal instance in
the principals set and a PasswordCredential credential or an org.ietf.jgss.GSSCredential instance in
the set of private credentials.
The GenericCredential interface that is defined in Java Connector Architecture (JCA) Specification Version 1.0 is deprecated in the JCA Version 1.5 specification.