Using the default authorization token to propagate security attributes
This topic explains how WebSphere® Application Server uses the default authorization token. Consider using the default authorization token when you are looking for a place to add string attributes that get propagated downstream.
About this task
However, make sure that the attributes you add to the authorization token are specific to the user that is associated with the authenticated Subject. If they are not specific to a user, the attributes probably belong in the propagation token, which is also propagated with the request. For more information on the propagation token, see Using the default propagation token to propagate security attributes. To add attributes into the authorization token, you must plug in a custom login module into the various system login modules that are configured. Any login module configuration that has the com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule implementation configured can receive propagated information and can generate propagation information that can be sent outbound to another server.
If propagated attributes are not presented to the login configuration during an initial login, a default authorization token is created in the wsMapDefaultInboundLoginModule login module after the login occurs in the ltpaLoginModule login module. You can obtain a reference to the default authorization token from the login method using the sharedState hashmap. You must plug in the custom login module after the wsMapDefaultInboundLoginModule implementation for WebSphere Application Server to see the default authorization token.
For more information on the Java™ Authentication and Authorization Service (JAAS) programming model, see the Security: Resources for learning article.
Procedure
![[IBM i]](../images/ngibmi.svg)
Add your custom login module
to the profile_root/classes directory.
For more information, see Creating a classes subdirectory in your profile for custom classes.![[AIX Solaris HP-UX Linux Windows]](../images/ngdist.svg)
![[z/OS]](../images/ngzos.svg)
Ensure
that your custom login module
code is trusted. Whenever you plug a custom login module into the WebSphere Application Server login infrastructure, you must ensure that the code is trusted. When you add the login module into the app_server_root/classes directory, it has Java 2 Security AllPermissions permissions. It is recommended that you add your login module and other infrastructure classes into a private directory. However, if you use a private directory, modify the $(WAS_INSTALL_ROOT)/properties/server.policy file so that the private directory, Java archive (JAR) file, or both have the permissions that are needed to run the application programming interfaces (API) that are called from the login module. Because the login module might run after the application code on the call stack, you might consider adding a doPrivileged code block so that you do not need to add additional permissions to your applications.- Associate your token factory with the default authorization
token. To associate your token factory with the default authorization token, using the administrative console, complete the following steps:
- Click Security > Global security.
- Under Additional properties, click Custom properties.
- Locate the com.ibm.wsspi.security.token.authorizationTokenFactory property and verify that the value of this property matches your custom token factory implementation.
- Verify that your implementation classes are put into the app_server_root/classes directory so that the WebSphere Application Server class loader can load the classes.
- Verify that your
implementation classes are
put into the ${USER_INSTALL_ROOT}/classes directory
so that the WebSphere Application Server class loader
can load the classes.
- Verify that the QEJBSVR
user profile has read,
write, and execute (*RWX) authority to the classes directory. You
can use the Work with Authority (WRKAUT) command to view the authority
permissions for the directory.
Example
public customLoginModule()
{
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map sharedState, Map options)
{
// (For more information on initialization, see
// Developing custom login modules for a system login configuration for JAAS.)
// Get a reference to the sharedState map that is passed in during initialization.
_sharedState = sharedState;
}
public boolean login() throws LoginException
{
// (For more information on what to do during login, see
// Developing custom login modules for a system login configuration for JAAS.)
// Look for the default AuthorizationToken in the shared state
defaultAuthzToken = (com.ibm.wsspi.security.token.AuthorizationToken)
sharedState.get
(com.ibm.wsspi.security.auth.callback.Constants.WSAUTHZTOKEN_KEY);
// Might not always have one of these generated. It depends on the login
// configuration setup.
if (defaultAuthzToken != null)
{
try
{
// Add a custom attribute
defaultAuthzToken.addAttribute("key1", "value1");
// Determine all of the attributes and values that exist in the token.
java.util.Enumeration listOfAttributes = defaultAuthorizationToken.
getAttributeNames();
while (listOfAttributes.hasMoreElements())
{
String key = (String) listOfAttributes.nextElement();
String[] values = (String[]) defaultAuthorizationToken.getAttributes (key);
for (int i=0; i<values.length; i++)
{
System.out.println ("Key: " + key + ", Value[" + i + "]: "
+ values[i]);
}
}
// Read the existing uniqueID attribute.
String[] uniqueID = defaultAuthzToken.getAttributes
(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_UNIQUEID);
// Getthe uniqueID from the String[]
String unique_id = (uniqueID != null &&
uniqueID[0] != null) ? uniqueID[0] : "";
// Read the existing expiration attribute.
String[] expiration = defaultAuthzToken.getAttributes
(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_EXPIRATION);
// An example of getting a long expiration value from the string array.
long expire_time = 0;
if (expiration != null && expiration[0] != null)
expire_time = Long.parseLong(expiration[0]);
// Read the existing display name attribute.
String[] securityName = defaultAuthzToken.getAttributes
(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_SECURITYNAME);
// Get the display name from the String[]
String display_name = (securityName != null &&
securityName[0] != null) ? securityName[0] : "";
// Read the existing long securityName attribute.
String[] longSecurityName = defaultAuthzToken.getAttributes
(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_LONGSECURITYNAME);
// Get the long security name from the String[]
String long_security_name = (longSecurityName != null &&
longSecurityName[0] != null) ? longSecurityName[0] : "";
// Read the existing group attribute.
String[] groupList = defaultAuthzToken.getAttributes
(com.ibm.wsspi.security.token.AttributeNameConstants.
WSCREDENTIAL_GROUPS);
// Get the groups from the String[]
ArrayList groups = new ArrayList();
if (groupList != null)
{
for (int i=0; i<groupList.length; i++)
{
System.out.println ("group[" + i + "] = " + groupList[i]);
groups.add(groupList[i]);
}
}
}
catch (Exception e)
{
throw new WSLoginFailedException (e.getMessage(), e);
}
}
}
public boolean commit() throws LoginException
{
// (For more information on what to do during commit, see
// Developing custom login modules for a system login configuration for JAAS.)
}
private java.util.Map _sharedState = null;
private com.ibm.wsspi.security.token.AuthorizationToken defaultAuthzToken = null;
}