Example: Custom login module for inbound mapping
This sample shows a custom login module that creates a java.util.Hashtable hashtable that is based on the specified NameCallback callback. The java.util.Hashtable hashtable is added to the sharedState java.util.Map map so that the WebSphere® Application Server login modules can locate the information in the Hashtable.
public customLoginModule() { public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { // (For more information on initialization, see // Developing custom login modules for a system login configuration for JAAS.) _sharedState = sharedState; } public boolean login() throws LoginException { // (For more information on what to do during login, see // Developing custom login modules for a system login configuration for JAAS.) // Handles the WSTokenHolderCallback to see if this is an initial or // propagation login. javax.security.auth.callback.Callback callbacks[] = new javax.security.auth.callback.Callback[3]; callbacks[0] = new javax.security.auth.callback.NameCallback(""); callbacks[1] = new javax.security.auth.callback.PasswordCallback( "Password: ", false); callbacks[2] = new com.ibm.websphere.security.auth.callback. WSCredTokenCallbackImpl(""); callbacks[3] = new com.ibm.wsspi.security.auth.callback. WSTokenHolderCallback(""); try { callbackHandler.handle(callbacks); } catch (Exception e) { // Handles the exception } // Determines which callbacks contain information boolean identitySwitched = false; String uid = ((NameCallback) callbacks[0]).getName(); char password[] = ((PasswordCallback) callbacks[1]).getPassword(); byte[] credToken = ((WSCredTokenCallbackImpl) callbacks[2]).getCredToken(); java.util.List authzTokenList = ((WSTokenHolderCallback) callbacks[3]). getTokenHolderList(); if (credToken != null) { try { String uniqueID = WSSecurityPropagationHelper.validateLTPAToken(credToken); String realm = WSSecurityPropagationHelper.getRealmFromUniqueID (uniqueID); // Set the string to the UID so you can use the information to either // map or login. uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueid); } catch (Exception e) { // handle exception } } else if (uid == null) { // The authentication data is not valid. You must have either UID // or CredToken throw new WSLoginFailedException("invalid authentication data."); } else if (uid != null && password != null) { // This is a typical authentication. You can choose to map this ID to // another ID or you can skip it and allow WebSphere Application Server // to log in for you. When passwords are presented, be very careful not // to validate the password because this is the initial authentication. return true; } // You can map this uid to something else and set the identitySwitched // boolean. If the identity is changed, clear the following propagated // attributes so they are not used incorrectly. uid = myCustomMappingRoutine (uid); // Clear the propagated attributes because they no longer apply to the new identity if (identitySwitched) { ((WSTokenHolderCallback) callbacks[3]).setTokenHolderList(null); } boolean requiresLogin = ((com.ibm.wsspi.security.auth.callback. WSTokenHolderCallback) callbacks[2]).getRequiresLogin(); if (requiresLogin || identitySwitched) { // Retrieves the default InitialContext for this server. javax.naming.InitialContext ctx = new javax.naming.InitialContext(); // Retrieves the local UserRegistry object. com.ibm.websphere.security.UserRegistry reg = (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry"); // Retrieves the registry uniqueID based on the uid that is specified // in the NameCallback. String uniqueid = reg.getUniqueUserId(uid); uid = WSSecurityPropagationHelper.getUserFromUniqueID (uniqueid); // Retrieves the display name from the user registry based on the uniqueID. String securityName = reg.getUserSecurityName(uid); // Retrieves the groups associated with this uniqueID. java.util.List groupList = reg.getUniqueGroupIds(uid); // Creates the java.util.Hashtable with the information that you gathered // from the UserRegistry. java.util.Hashtable hashtable = new java.util.Hashtable(); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_UNIQUEID, uniqueid); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_SECURITYNAME, securityName); hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_GROUPS, groupList); // Adds a cache key that is used as part of the lookup mechanism for // the created Subject. The cache key can be an object, but has // an implemented toString method. Make sure the cacheKey contains enough // information to scope it to the user and any additional attributes you are // using. If you do not specify this property, the Subject is scoped to the // WSCREDENTIAL_UNIQUEID returned, by default. hashtable.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_CACHE_KEY, "myCustomAttribute" + uniqueid); // Adds the hashtable to the shared state of the Subject. _sharedState.put(com.ibm.wsspi.security.token.AttributeNameConstants. WSCREDENTIAL_PROPERTIES_KEY, hashtable); } else if (requiresLogin == false) { // For more information on this section, see // Security attribute propagation. // If you added a custom Token implementation, you can search through the // token holder list for it to deserialize. // Note: Any Java objects are automatically deserialized by // wsMapDefaultInboundLoginModule for (int i=0; i<authzTokenList.size(); i++) { TokenHolder tokenHolder = (TokenHolder) authzTokenList.get(i); if (tokenHolder.getName().equals("com.acme.MyCustomTokenImpl")) { byte[] myTokenBytes = tokenHolder.getBytes(); // Passes these bytes into the constructor of your implementation // class for deserialization. com.acme.MyCustomTokenImpl myTokenImpl = new com.acme.MyCustomTokenImpl(myTokenBytes); } } } } public boolean commit() throws LoginException { // (For more information on what to do during a commit, see // Developing custom login modules for a system login configuration for JAAS.) } // Defines your login module variables com.ibm.wsspi.security.token.AuthorizationToken customAuthzToken = null; com.ibm.wsspi.security.token.AuthenticationToken defaultAuthToken = null; java.util.Map _sharedState = null; }