InfoCenter Home >
5: Securing applications -- special topics >
5.7: The Secure Association Service (SAS) >
5.7.6: Introduction to SAS programming >
5.7.6.2: Extracting credentials from a thread >
5.7.6.2.1: Manipulating credentials

5.7.6.2.1: Manipulating credentials

A credential object is an object that implements the org.omg.SecurityLevel2.Credentials interface. This interface supports many operations on credentials. A specific credential object contains identifying information about a principal for a session; this information includes the security name of the principal, the principal's hostname, and more. The Credentials interface defines methods for the following:

  • Copying a credential
  • Retrieving the information in the credential
  • Determining if the credential has expired

Security in the WebSphere environment offers two ways for authentication of principals to take place:

  • Basic authentication
  • Authentication against the local operating system
Credential associated with each type contain different information about the principal.

The credentials created for basic authentication contain information that is not yet verified. Such credentials are typically created on the client side of an application and sent to the server for authentication, after which an authenticated credential is created. The basic-authorization credential contains the user ID and password for the user requesting authentication.

When the server receives the basic-authorization credential during the establishment of a secure association, one of the other types of credentials is created if the information about the user can be authenticated according to the local registry or LDAP registry.

To manipulate a credential object, an application must get access to a credential object. To get access to a credential object, an application must:

  1. Acquire credentials (either by logging in or receiving them as part of an incoming request).
  2. Extract the credential object:
    1. Get a reference to the security Current object.
    2. Extract the desired type of credential.

Copying a credential

Copying a credential object creates a new Credentials object that is an exact duplicate (or deep copy) of the original Credentials object. The method, Credentials.copy(), returns a reference to the newly created copy. Copying credentials is typically done when an application needs to return a Credentials object to a caller but does not want the caller to be able to modify the original Credentials object.

   ...
// Get a reference to the security Current object.
...
// Extract the credential object.
creds = ...

// Make a copy of the credential object.
org.omg.SecurityLevel2.Credentials newcreds = creds.copy();
...

Retrieving information from a credential

You can use the Credentials.get_attributes method. This method takes an attribute-type list as an argument, and sets the values for each attribute type in the list. To use this method, you must first create a list of attribute types. Each position in the list holds the value of a different attribute; you must construct an list to hold the attributes you want to retrieve.

The code sample illustrates the the retrieval values for of four attributes. This procedure demonstrates how you can acquire the security attributes of a credential. This is used to determine the security name and host identity of the principal that invoked the current method request, including the host where the principal is logged in. This procedure is performed on a Credentials object. The security name and host name are security attributes that have been introduced by WebSphere. Therefore, they are identified by the IBM_BOSS_FAMILY_DEFINER, in attributes family 2. The security run time must be installed and the ORB must be initialized.

   ...
// Get a reference to the security Current object.
...
// Extract the credential object.
creds = ...

// Create and initialize the attribute-type list.
org.omg.Security.AttributeType[] attributeTypeList =
new org.omg.Security.AttributeType[4];

// Establish the type of attribute each index holds.
org.omg.Security.ExtensibleFamily familyOMG =
new org.omg.Security.ExtensibleFamily((short) 0, (short) 1);
org.omg.Security.ExtensibleFamily familyIBM =
new org.omg.Security.ExtensibleFamily((short) 8, (short) 2);

attributeTypeList[0] =
new org.omg.Security.AttributeType(familyIBM, com.ibm.IExtendedSecurity.CredAttrSecName.value);
//    new org.omg.Security.AttributeType(familyOMG, org.omg.Security.Public.value);
attributeTypeList[1] =
new org.omg.Security.AttributeType(familyOMG, org.omg.Security.AccessId.value);
attributeTypeList[2] =
new org.omg.Security.AttributeType(familyOMG, org.omg.Security.GroupId.value);
attributeTypeList[3] =
new org.omg.Security.AttributeType(familyIBM, com.ibm.IExtendedSecurity.CredAttrHostName.value);

// Make sure all values are initally null.
org.omg.Security.Attribute[] attributeList = null;

try
{
// Extract the attributes from the credential.
attributeList = creds.get_attributes(attributeTypeList);

// Retrieve the securityName.
String secName = new String(attributeList[0].value);

// Retrieve the AccessID.
String AccessID = new String(attributeList[1].value);

// Retrieve the GroupID.
String GroupID = new String(attributeList[2].value);

// Retrieve the HostName.
String HostName = new String(attributeList[3].value);
}
catch (org.omg.Security::InvalidAttributeType e )
{
e.printStackTrace();
}
catch (org.omg.Security::DuplicateAttributeType e )
{
e.printStackTrace();
}

WebSphere combines the CORBA.Principal and the SecurityLevel2.Credentials interfaces in the IExtendedSecurity.Credentials interface. The IExtendedSecurity module contains IBM extensions to the standard interfaces defined by the Object Management Group (OMG) and new interfaces introduced by IBM.

Go to previous article: SAS Programming/Credentials Go to next article: Client-side programmatic login

 

 
Go to previous article: SAS Programming/Credentials Go to next article: Client-side programmatic login