This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

Custom mediator

An OAuth 2.0 mediator is used as a callback during the OAuth 2.0 message processing to perform customized post processing.

Write an OAuth 2.0 mediator

To write a mediator, you must implement the interface named com.ibm.oauth.core.api.oauth20.mediator.OAuth20Mediator. You can implement one or more of the following methods to perform custom post processing.
void init(OAuthComponentConfiguration config)
This method is called by a factory when an instance of this object is created.
void mediateAuthorize(AttributeList attributeList)
This method is called by the core component after basic message validation and processing to allow any post custom processing by the component consumer in the processAuthorization method.
void mediateAuthorizeException(AttributeList attributeList, OAuthException exception)
This method is called by the core component when the protocol exception happens to allow any post custom processing by the component consumer in the processAuthorization method.
void mediateResource(AttributeList attributeList)
This method is called by the core component after basic message validation and processing to allow any post custom processing by the component consumer in the processResourceRequest method.
void mediateResourceException(AttributeList attributeList, OAuthException exception)
This method is called by the core component when protocol exception happens to allow any post custom processing by the component consumer in the processResourceRequest method.
void mediateToken(AttributeList attributeList)
This method is called by the core component after basic message validation and processing to allow any post custom processing by the component consumer in the processTokenRequest method.
void mediateTokenException(AttributeList attributeList, OAuthException exception)
This method is called by the core component when protocol exception happens to allow any post custom processing by the component consumer in the processTokenRequest method.

Enable OAuth 2.0 mediator for an OAuth provider

To add a customized mediator to a specific OAuth 2.0 service provider, update the provider definition in the server.xml file. Add the mediatorClassname attribute of the oauthProvider element and specify the class name for the mediator. You can also specify multiple class names for mediators by using the mediatorClassname subelement of the oauthProvider element. If multiple mediators are specified, those mediators are started in the order they are specified. You must also define a library element that contains the mediator class and refer to the library with the libraryRef attribute.

The following example shows a sample custom mediator entry in the provider definition in the server.xml file:
<oauthProvider id="OAuthConfigSample" libraryRef="myLib"
  mediatorClassname="com.ibm.ws.security.oauth20.mediator.ResourceOwnerValidationMediator" ...>
  ...
</oauthProvider>

<library id="myLib">
  <fileset dir="C:\mydir" includes="myLib.jar" />
</library>
The following code sample implements the credential validation by using the WebSphere® Application Server user registry in the resource owner password credentials flow.
package com.ibm.ws.security.oauth20.mediator;

import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.config.OAuthComponentConfiguration;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20MediatorException;
import com.ibm.oauth.core.api.oauth20.mediator.OAuth20Mediator;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.UserRegistry;

import java.rmi.RemoteException;
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.naming.InitialContext;
import javax.naming.NamingException;

public class ResourceOwnerValidationMedidator implements OAuth20Mediator {
  private static final String CLASS = ResourceOwnerValidationMedidator.class.getName();
  private static final Logger LOG = Logger.getLogger(CLASS);
  private UserRegistry reg = null;

  public void init(OAuthComponentConfiguration config) {
    try {
      InitialContext ctx = new InitialContext();
      reg = (UserRegistry) ctx.lookup("UserRegistry");
    } catch(NamingException ne) {
      LOG.log(Level.SEVERE, "Cannot lookup UserRegistry", ne);
    }
  }

  public void mediateAuthorize(AttributeList attributeList)
    throws OAuth20MediatorException {
    // nothing to do here
  }

  public void mediateAuthorizeException(AttributeList attributeList,
                                        OAuthException exception)
    throws OAuth20MediatorException {
    // nothing to do here
  }

  public void mediateResource(AttributeList attributeList)
    throws OAuth20MediatorException {
    // nothing to do here
  }

  public void mediateResourceException(AttributeList attributeList,
                                       OAuthException exception)
    throws OAuth20MediatorException {
    // nothing to do here
  }

  public void mediateToken(AttributeList attributeList)
    throws OAuth20MediatorException {
    final String methodName = "mediateToken";
    LOG.entering(CLASS, methodName, attributeList);
    if("password".equals(attributeList.getAttributeValueByName("grant_type"))) {
      String username = attributeList.getAttributeValueByName("username");
      String password = attributeList.getAttributeValueByName("password");
      try {
        reg.checkPassword(username, password);
      } catch (PasswordCheckFailedException e) {
        throw new OAuth20MediatorException("User doesn't exist or the
                                           password doesn't match.", e);
      } catch (CustomRegistryException e) {
        throw new OAuth20MediatorException("Cannot validate resource owner.", e);
      } catch (RemoteException e) {
        throw new OAuth20MediatorException("Cannot validate resource owner.", e);
      } 
    }
    LOG.exiting(CLASS, methodName);
  }

  public void mediateTokenException(AttributeList attributeList,
                                    OAuthException exception)
    throws OAuth20MediatorException {
    final String methodName = "mediateTokenException";
    LOG.entering(CLASS, methodName, new Object[] {attributeList, exception});
    if("password".equals(attributeList.getAttributeValueByName("grant_type"))) {
      // clear sensitive data
      attributeList.setAttribute("access_token",
                                 OAuth20Constants.ATTRTYPE_RESPONSE_ATTRIBUTE,
                                 new String[0]);
      attributeList.setAttribute("refresh_token",
                                 OAuth20Constants.ATTRTYPE_RESPONSE_ATTRIBUTE,
                                 new String[0]);
    }
    LOG.exiting(CLASS, methodName);
  }

}

Icon that indicates the type of topic Concept topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=cwlp_oauth_custommediator
File name: cwlp_oauth_custommediator.html