Security public APIs in the Liberty profile provides a way of extending the security infrastructure.
The Liberty profile contains public APIs that you can use to implement security functions. The security public APIs in the Liberty profile are a subset of the full profile security public APIs. The main classes are WSSecurityHelper, WSSubject, and RegistryHelper. These classes contain a subset of the methods that are available in the full profile versions. There is also a new class WebSecurityHelper.
The following sections describe those main classes. There are also other classes such as UserRegistry, WSCredential, and other exception classes.
All the security public APIs supported by the Liberty profile are in the Java™ API documentation. The Java API documentation for each Liberty profile API is detailed in the Programming Interfaces (APIs) section of the information center, and is also available as a separate .zip file in one of the javadoc subdirectories of the ${wlp.install.dir}/dev directory.
import java.rmi.RemoteException;
import java.security.PrivilegedAction;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl;
import com.ibm.wsspi.security.registry.RegistryHelper;
public class myServlet {
...
if (WSSecurityHelper.isServerSecurityEnabled()) {
UserRegistry ur = null;
try {
ur = RegistryHelper.getUserRegistry(null);
} catch (WSSecurityException e1) {
// record some diagnostic info
return;
}
String userid = "user1";
String password = "user1password";
try {
if (ur.isValidUser(userid)) {
// create a Subject, authenticating with
// a userid and password
CallbackHandler wscbh = new WSCallbackHandlerImpl(userid, password);
LoginContext ctx;
ctx = new LoginContext("WSLogin", wscbh);
ctx.login();
Subject subject = ctx.getSubject();
// Perform an action using the Subject for
// any required authorization
WSSubject.doAs(subject, action);
}
} catch (CustomRegistryException e) {
// record some diagnostic info
return;
} catch (RemoteException e) {
// record some diagnostic info
return;
} catch (LoginException e) {
// record some diagnostic info
return;
}
}
...
private final PrivilegedAction action = new PrivilegedAction() {
@Override
public Object run() {
// do something useful here
return null;
}
};
}
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl;
...
if (WSSecurityHelper.isServerSecurityEnabled()) {
CallbackHandler wscbh = new WSCallbackHandlerImpl("user1", "user1password");
LoginContext ctx;
try {
// create a Subject, authenticating with
// a userid and password
ctx = new LoginContext("WSLogin", wscbh);
ctx.login();
Subject mySubject = ctx.getSubject();
Subject oldSubject = null;
try {
// Save a ref to the current Subject on the thread
oldSubject = WSSubject.getRunAsSubject();
// Make mySubject the current Subject on the thread
WSSubject.setRunAsSubject(mySubject);
// Do something useful here. Any authorization
// required will be performed using mySubject
} catch (WSSecurityException e) {
// record some diagnostic info
return;
} finally {
// Put the original Subject back on the thread context
if (oldSubject != null) {
try {
WSSubject.setRunAsSubject(oldSubject);
} catch (WSSecurityException e) {
// record some diagnostic info
}
}
}
} catch (LoginException e) {
// record some diagnostic info
return;
}
}
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.cred.WSCredential;
...
if (WSSecurityHelper.isServerSecurityEnabled()) {
// Get the caller's subject
Subject callerSubject;
try {
callerSubject = WSSubject.getCallerSubject();
} catch (WSSecurityException e) {
// record some diagnostic info
return;
}
WSCredential wsCred = null;
Set<WSCredential> wsCredentials =
callerSubject.getPublicCredentials(WSCredential.class);
Iterator<WSCredential> wsCredentialsIterator = wsCredentials.iterator();
if (wsCredentialsIterator.hasNext()) {
wsCred = wsCredentialsIterator.next();
try {
// Print out the groups
ArrayList<String> groups = wsCred.getGroupIds();
for (String group : groups) {
System.out.println("Group name: " + group);
}
} catch (CredentialExpiredException e) {
// record some diagnostic info
return;
} catch (CredentialDestroyedException e) {
// record some diagnostic info
return;
}
}
}
}