This document describes how to add an object into the Subject from a login module and describes other infrastructure considerations to make sure that the Java object gets propagated.
public customLoginModule() { public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { } public boolean login() throws LoginException { // Construct callback for the WSTokenHolderCallback so that you // can determine if // your custom object has propagated Callback callbacks[] = new Callback[1]; callbacks[0] = new WSTokenHolderCallback("Authz Token List: "); try { _callbackHandler.handle(callbacks); } catch (Exception e) { throw new LoginException (e.getLocalizedMessage()); } // Checks to see if any information is propagated into this login List authzTokenList = ((WSTokenHolderCallback) callbacks[1]). getTokenHolderList(); if (authzTokenList != null) { for (int i = 0; i< authzTokenList.size(); i++) { TokenHolder tokenHolder = (TokenHolder)authzTokenList.get(i); // Look for your custom object. Make sure you use // "startsWith"because there is some data appended // to the end of the name indicating in which Subject // Set it belongs. Example from getName(): // "com.acme.CustomObject (1)". The class name is // generated at the sending side by calling the // object.getClass().getName() method. If this object // is deserialized by WebSphere Application Server, // then return it and you do not need to add it here. // Otherwise, you can add it below. // Note: If your class appears in this list and does // not use custom serialization (for example, an // implementation of the Token interface described in // the Propagation Token Framework), then WebSphere // Application Server automatically deserializes the // Java object for you. You might just return here if // it is found in the list. if (tokenHolder.getName().startsWith("com.acme.CustomObject")) return true; } } // If you get to this point, then your custom object has not propagated myCustomObject = new com.acme.CustomObject(); myCustomObject.put("mykey", "mydata"); } public boolean commit() throws LoginException { try { // Assigns a reference to a final variable so it can be used in // the doPrivileged block final com.acme.CustomObject myCustomObjectFinal = myCustomObject; // Prevents your applications from needing a JAAS getPrivateCredential // permission. java.security.AccessController.doPrivileged(new java.security. PrivilegedExceptionAction() { public Object run() throws java.lang.Exception { // Try not to add a null object to the Subject or an object // that already exists. if (myCustomObjectFinal != null && !subject.getPrivateCredentials(). contains(myCustomObjectFinal)) { // This call requires a special Java 2 Security permission, // see the JAAS application programming interface (API) // documentation. subject.getPrivateCredentials().add(myCustomObjectFinal); } return null; } }); } catch (java.security.PrivilegedActionException e) { // Wraps the exception in a WSLoginFailedException java.lang.Throwable myException = e.getException(); throw new WSLoginFailedException (myException.getMessage(), myException); } } // Defines your login module variables com.acme.CustomObject myCustomObject = null; }
If you are careful adding custom objects and follow all the steps to make sure that WebSphere Application Server can serialize and deserialize the object at each hop, then it is sufficient to use custom Java objects only.
When you
add a custom object into the Subject and expect WebSphere Application
Server to propagate the object, make sure that the class definition for that
custom object exists in the JAR file within the app_server_root/lib/ext/ directory
on all of the nodes where serialization or deserialization might occur. Also,
verify that the Java class versions are the same.
When
you add a custom object into the Subject and expect WebSphere Application
Server to propagate the object, make sure that the class definition for that
custom object exists in the profile_root/classes directory
on all of the nodes where serialization or deserialization might occur. Also,
verify that the Java class versions are the same.
Although you can add custom objects to the propagation exclude list, you must be aware of a side effect. WebSphere Application Server stores the opaque token, or the serialized Subject contents, in a local cache for the life of the single sign-on (SSO) token. The life of the SSO token, which has a default of two hours, is configured in the SSO properties on the administrative console. The information that is added to the opaque token includes only the objects not in the exclude list.
If your authentication cache does not match your SSO token timeout, configure the authentication cache properties. See Configuring the authentication cache. It is recommended that you make your authentication cache timeout value equal to the SSO token timeout.
In this information ...Related concepts
Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience. This feature requires Internet access. Most of the following links will take you to information that is not part of the formal product documentation and is provided "as is." Some of these links go to non-IBM Web sites and are provided for your convenience only and do not in any manner serve as an endorsement by IBM of those Web sites, the material thereon, or the owner thereof. |