All geek questions in one place

Use the JASPIC Authorization Module on WebSphere 8.5

I have a JASPIC authorization module that works great on GlassFish, WildFly, and WebLogic.

Now we have a new client that uses WebSphere 8.5, and I cannot get the auth module to work properly there.

The problem is that WebSphere does not accept the username that the auth module places in the CallerPrincipalCallback. Our other supported servers simply agree with this, but WebSphere believes for some reason that it needs to perform additional checks.

After studying the issue, I came across this: https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014937852

This accurately describes my problem, but there is no solution.

How can I convince WebSphere to simply handle the CallerPrincipalHandler and accept any username like all other servers?

+4
source share
2 answers

WebSphere 8.5, WRT-related behavior, JASPIC CallerPrincipalCallback processing is NOT compatible with the JASPIC specification.

CallerPrincipalCallback (s) should be able to support the case when the user registry is integrated into SAM, including to ensure membership in user groups.

SAM , CallbackHandler PasswordValidationCallback; CallbackHandler , / , CallbackHandler. SAM ( ) CallbackHandler CallerPrincipalCallback.

,

+5

, / , , .

, , .

, WebSphere, , ( ) :

public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject,
        Subject serviceSubject) throws AuthException {

   String uniqueid = "test";
   String username = "test";
   String password = "test";

   Hashtable hashtable = new Hashtable();
   hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, uniqueid);
   hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, username);
   hashtable.put(AttributeNameConstants.WSCREDENTIAL_PASSWORD, password);
   List groups = new ArrayList();

   // if you want to use existing group uncomment this
   // com.ibm.websphere.security.UserRegistry reg = 
   //  (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry");    
   // String groupID reg.getUniqueGroupId("testers");
   // groups.add(groupID); // for federated registry it returns cn=testers,o=defaultWIMFileBasedRealm


   // if you want to use fake groups just add them here, and provide correct binding file - see below. If you don't want to use groups just omit WSCREDENTIAL_GROUPS  
   groups.add("testers");

   hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups); //optional 
   hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, "myCustomAttribute" + uniqueid);
   clientSubject.getPrivateCredentials().add(hashtable);

   return AuthStatus.SUCCESS;

}

, . , . , application.xml, :

<security-role>
    <role-name>user</role-name>
</security-role>

, /. ibm-application-bnd.xml:

<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
version="1.2">

  <security-role name="user">
    <user name="test" access-id="user:defaultWIMFileBasedRealm/test"/>
    <group name="testers" access-id="group:defaultWIMFileBasedRealm/testers"/>
    <special-subject type="ALL_AUTHENTICATED_USERS" />
  </security-role>
</application-bnd>

, , :

  • user -
  • group -
  • special-subject - , .

, /, access-id, , name.

. :

+1

Source: https://habr.com/ru/post/1569283/

More articles:


All Articles