By enabling identity assertion with trust validation, an application
can use the JAAS login configuration to perform a programmatic identity assertion.
About this task
To enable an identity assertion with trust validation, follow these
steps:
Procedure
- Create a custom login module to perform a trust validation.
The login module must set trust and identity information in the shared
state, which is then passed on to the IdentityAssertionLoginModule. The trust
and identity information is stored in a map in the shared state under the
key, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state.
If this key is missing from the shared state, a WSLoginFailedException error
is thrown by the IdentityAssertionLoginModule module. The custom login module
should include the following:
- A trust key named com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trust.
If the trust key is set to true, trust is established. If the trust
key is set to false, the IdentityAssertionLoginModule module creates
a WSLoginFailedException error.
- The identity of the java.security.Principal type set in the com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal
key.
- The identity in the form of a java,security.cert.X509Certificate[]
certificate set in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates
key.
Note: If both a principal and a certificate are supplied, the principal
is used, and a warning is issued.
- Create a new Java Authentication and Authorization Service (JAAS)
configuration for application logins. It contains the user-implemented
trust validation custom login module and the IdentityAssertionLoginModule
module. To configure an application login configuration from the administrative
console, complete the following steps:
- Click Security > Secure administration,
applications, and infrastructure.
- Under Java Authentication and Authorization Service, click Application
logins > New.
- Supply the JAAS configuration with an alias, and then click Apply.
- Under Additional properties, click JAAS Login Modules > New.
- Enter the module class name of the user-implemented trust validation
custom login module, and then click Apply.
- Enter the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule
module class name.
- Make sure that the module class name classes are in the correct
order. The user-implemented trust validation login module must be the first
class in the list, and the IdentityAssertionLoginModule module must be the
second class.
- Click Save. The new JAAS configuration is used by the
application to perform an identity assertion.
What to do next
An application can now use the JAAS login configuration to perform
a programmatic identity assertion. The application can create a login context
for the JAAS configuration created in step 2, then login to that login context
with the identity it asserts to. If the login is successful, that identity
can be set in the current running process, as in the following example:
MyCallbackHandler handler = new MyCallbackHandler(new MyPrincipal(“Joe”));
LoginContext lc = new LoginContext(“MyAppLoginConfig”, handler);
lc.login(); //assume successful
Subject s = lc.getSubject();
WSSubject.setRunAsSubject(s);
// From here on, the runas identity is “Joe”