Package com.ibm.websphere.objectgrid.security.plugins

This package contains the interfaces for adding plug-ins to the ObjectGrid security framework and assoicated Exception classes.

See:
Description

Interface Summary
Authenticator	This plugin can be used to authenticate an ObjectGrid client to an ObjectGrid server based on the credential provided by the client.
Credential	This interface represents a credential used by an ObjectGrid client.
CredentialGenerator	This plugin is used to get a Credential representing this client.
ObjectGridAuthorization	This plugin can be used to authorize `ObjectGrid`, `ObjectMap` and `JavaMap` accesses to the `Principal`s represented by a `Subject` object.
SecureTokenManager	This interface is used by ObjectGrid servers to transform an object to a secure token and vice versa.
SubjectSource	This plugin can be used to get a `Subject` which represents an ObjectGrid client.
SubjectValidation	This plugin can be used to validate that a `Subject` passed to the ObjectGrid is a valid `Subject` which has not been tampered with.

Exception Summary
CannotGenerateCredentialException	This exception indicates a credential cannot be generated.
ExpiredCredentialException	This exception indicates that the credential used for authentication is expired.
InvalidCredentialException	This exception indicates that the credential used for authentication is invalid.
InvalidSubjectException	This exception indicates the Subject passed to an ObjectGrid server is not a valid subject.

Package com.ibm.websphere.objectgrid.security.plugins Description

This package contains the interfaces for adding plug-ins to the ObjectGrid security framework and assoicated Exception classes.

The plug-ins in this package are used for authentication and authorization. Below is a brief summary of these plug-ins.

Authentication plug-ins

Credential

A com.ibm.websphere.objectgrid.security.plug-ins.Credential plug-in represents a client credential. It is passed from the clien to server for authentication. It could be a user password pair, a kerberos ticket, etc.

CredentialGenerator

A com.ibm.websphere.objectgrid.security.plug-ins.CredentialGenerator plug-in is used to get a Credential representing this client. It is a factory for the Credential object.

Authenticator

com.ibm.websphere.objectgrid.security.plug-ins.Authenticator plug-in is used for an ObjectGrid client to authenticate to an ObjectGrid server.

SubjectSource

com.ibm.websphere.objectgrid.security.plug-ins.SubjectSource plug-in is used to get a Subject instance representing the ObjectGrid client. This plug-in is used when ObjectGrid security is on. The method getSubject is called by ObjectGrid runtime when ObjectGrid.getSession() method is used to get a session. This plug-in is normally used for a local ObjectGrid and provides a mechanism to plug in application server-specific way to retrieve a Subject object from the environment.

SubjectValidation

com.ibm.websphere.objectgrid.security.plug-ins.SubjectValidation plug-in is used to validate a Subject object passed to the ObjectGrid. A typical scenario where this plug-in can be used usually have the following characteristics:

The client has already been authenticated before it accesses ObjectGrid.
The client's Subject object can be retrieved.
The client is running locally on the ObjectGrid server side.
The client passes the subject retrieved from the thread to ObjectGrid server.
There is a mechanism (implementation of SubjectValidation) to validate the subject passed to ObjectGrid has not been tampered with after it is being retrieved.

The last bullet is usually the most difficult to satisify. This will require the support from the originator of the Subject object.

For example, when a ObjectGrid client is running in WebSphere Application Server (WAS) Extended Deployment (XD) which also hosts the ObjectGrid server. The client can retrieve the runAs Subject and then pass it to the ObjectGrid instance. The ObjectGrid Server will then invoke the SubjectValidation mechanism, which uses WAS-specific APIs to validate the Subject object has not been tampered with.

Authorization plug-ins

MapAuthorization

com.ibm.websphere.objectgrid.security.plug-ins.MapAuthorization plug-in is used to check whether the user represented by the Subject object has a speicfied ObjectMapPermission. Users can implement this interface to plug in their own authorization mechanism. For example, users can plug in their authorization mechanism, which uses Tivoli Access Manager Authorization Server .

Starting from WebSphere XD 6.1, MapAuthorization has been deprecated. Users can use ObjectGridAuthorization to authorize map accesses.

AdminAuthorization

com.ibm.websphere.objectgrid.security.plug-ins.AdminAuthorization plug-in can be used to authorize management operations to the principals contained in the Subject object. The permissions for the management operations are represented by AdminPermission objects.

ObjectGridAuthorization

com.ibm.websphere.objectgrid.security.plug-ins.ObjectGridAuthorization plug-in can be used to authorize ObjectGrid, ObjectMap and JavaMap accesses to the Principals represented by a Subject object. All access and operations to ObjectGrid can be authorized using this plug-in.

Other plug-ins

SecureTokenManager

This interface is used by ObjectGrid servers to transform an object to a secure token and vice versa. A secure token is a byte array.

For details about how to use these plug-ins, please refer to individual JavaDoc and ObjectGrid programming guide.

Overview

Package

Class

Tree

Serialized

Deprecated

Index

Help

IBM WebSphere^TM eXtreme Scale, Release 8.6
API Specification

PREV PACKAGE NEXT PACKAGE

FRAMES NO FRAMES