The Service Component Architecture (SCA) RequestContext.getSecuritySubject()
application programming interface returns a Java Authentication and
Authorization (JAAS) subject that represents an authenticated user
who accesses the protected SCA service.
Before you begin
SCA service developers can use the RequestContext.getSecuritySubject()
API to obtain a JAAS Subject that represents the requester.
If
one or more of the following preconditions are not met the SCA request
is not authenticated, and the RequestContext.getSecuritySubject API
returns a null Subject:
- Administrative security must be enabled to initialize the security
infrastructure.
- Application security must be enabled to enforce security policy
and authentication.
- The SCA service must require an authenticated
user. Authentication can be done at the transport layer using the
authentication.transport
intent
(for OSOA composites) or the clientAuthentication.transport
intent
(for OASIS composites). Authentication can be done at the message
layer by attaching a web service policy set that requires authentication.
About this task
When using the RequestContext.getSecuritySubject() API,
perform the following steps:
Procedure
- Use the RequestContext.getSecuritySubject API in your file.
The following example utilizes the OSOA RequestContext.getSecuritySubject
API:
import org.osoa.sca.annotations.Context;
import org.osoa.sca.annotations.Service;
import org.osoa.sca.RequestContext;
import javax.security.auth.Subject;
import java.security.Principal;
import java.util.Iterator;
import com.ibm.websphere.security.cred.WSCredential;
@Service(EchoService.class)
public class EchoServiceWithIdentityComponentImpl implements EchoService
{
@Context
protected RequestContext requestContext;
public String echo_String(String input)
{
try {
Subject subject = null;
String securityName = null;
if (requestContext != null) {
subject = requestContext.getSecuritySubject();
}
if (subject != null) {
java.util.Set principalSet = subject.getPrincipals();
if (principalSet != null && principalSet.size() > 0) {
Iterator principalIterator = principalSet.iterator();
if (principalIterator.hasNext()) {
Principal principal = (java.security.Principal) principalIterator.next();
securityName = principal.getName();
}
}
}
} catch (Exception ex) {
// Handle exception
}
}
}
The same example applies to
using the OASIS RequestContext.getSecuritySubject API with the exception
of package name changes:
import org.oasisopen.sca.annotation.Context;
import org.oasisopen.sca.annotation.Service;
import org.oasisopen.sca.RequestContext;
- You can obtain various security attributes of the request
from the WSCredential object in the subject as shown in the following
example:
if (subject != null) {
java.util.Set credSet = subject.getPublicCredentials();
if (credSet != null && credSet.size() > 0)
{
Iterator credIterator = credSet.iterator();
while (credIterator.hasNext()) {
Object o = credIterator.next();
WSCredential cred = null;
if (o instanceof WSCredential) {
cred = (WSCredential) o;
} else {
if (securityName == null) {
securityName = new StringBuffer();
}
securityName.append("\n>> Found a public credential: " + o.getClass().getName());
}
if (cred != null) {
if (securityName == null) {
securityName = new StringBuffer();
}
securityName.append("\n>> WSCredential security attributes . . .");
securityName.append("\n>> getAccessId = \t\t" + cred.getAccessId());
securityName.append("\n>> getGroupIds = \t\t" + cred.getGroupIds());
securityName.append("\n>> getPrimaryGroupId = \t\t" + cred.getPrimaryGroupId());
securityName.append("\n>> getRealmName = \t\t" + cred.getRealmName());
securityName.append("\n>> getRealmSecurityName = \t\t" + cred.getRealmSecurityName());
securityName.append("\n>> getRealmUniqueSecurityName = \t\t" + cred.getRealmUniqueSecurityName());
securityName.append("\n>> getSecurityName = \t\t" + cred.getSecurityName());
securityName.append("\n>> getUniqueSecurityName = \t\t" + cred.getUniqueSecurityName());
}
}
}
}
The principal identity consists of
a realm name followed by the identity of the requester. For example,
assume
WebSphere® Application Server is
configured to use an Lightweight Directory Access Protocol (LDAP)
server for authentication. The realm name is the LDAP server host
name and the port number:
security name = ldap1.austin.ibm.com:389/user2
Sample
output is shown here:
>> WSCredential security attributes . . .
>> getAccessId = user:ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us
>> getGroupIds = [group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US]
>> getPrimaryGroupId = group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US
>> getRealmName = ldap1.austin.ibm.com:389
>> getRealmSecurityName = ldap1.austin.ibm.com:389/user2
>> getRealmUniqueSecurityName = ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us
>> getSecurityName = user2
>> getUniqueSecurityName = cn=user2,o=ibm,c=us