2. Tech
  3. Portlet security

Portlet security

xiaoxiao2021-03-06  75

The following topics apply to developers who are familiar with the basic concept (described in portlet API and writing portlets).

Use the voucher insurance library to use other credentials and fuse to implement the JAAS search user credentials

Use the credentials insurance

For the resource protected by the portal, WebSphere Portal uses CORBA credentials and encrypted LTPA cookies to authenticate users (see the authentication concept to get details). However, for backend systems that need to have their own authentication, Portlets need to provide some authentication forms to access these remote applications. In order to provide single-point login user experience, portlets must be able to store and retrieve user credentials for special associated applications, and use these credentials to log in to users. WebSphere Portal supports the use of credentials, where users and administrators can securely store authentication credentials. Written portlets for extracting user credentials from the savva can hide the user's login question.

This feature is accurately provided by the voucher insurance. Portlets can use it via Credential Vault PortletService. The following sections provide more information about the voucher insurance.

Credential Insurance Organization Insurance Section Insurance Trough Credential Object Document Insurance User Schedule CredentialVaultService method: Accepting credentials from the fuse

Voucher Insurance Organization

Organize Portal Server's credentials:

The portal administrator can partition the insurance library as several insurance segments. Insurance reservoirs can only be created and configured by the portal administrator. A housing segment contains one or more seclusion slots. The secure bank is a "drawer" of portlet storage and retrieval user credentials. Each slot has a credential. The resource link in the fuse trough and the insurance implementation.

The savage implementation is the location of the user credentials actually stored. An example of a seclusion implementation includes a default database of WebSphere Portal or an IBM Tivoli Access Manager lock box. The resource in the realization of the insurance is corresponding to the application or the backend system that needs to have its own authentication. Examples of resources include Lotus Notes, personnel records, or bank accounts.

Insurance section

Insurance segments are marked as administrator management or user management. When portlets (Representative portal users) can set and retrieve the credentials of the two types of segments, they allow them to create the seclusion slot in the user-managed fuse segment. The figure below shows how to distribute administrators manage insurance in different securities implementations. There is only one user-managed insurance segment and resides in the fuse provided by WebSphere Portal.

Insurance service WebSphere Portal Insurance

User Management Insurance (U) Slot UA Slot UB UC

Administrator Management Section (A1) Tank A1A Slot A1B Slot A1C

Administrator Management Section (A2) Other Insurance Library Implementation Slot A2A Tank A2B Slot A2C

To use another savva, you need the insurance adapter. See Using Other Credential Insurance Exchange for more information.

Insurance groove

WebSphere Portal provides a voucher insurance library to distinguish four different types of insurance storage tanks:

System slots store all users and portlets sharing system credentials. The management slot allows each user to store an administrator defined resource (for example, Lotus Notes) confidential. Shared slots store user credentials shared by the user portlet. Portlet dedicated slots store non-portlet shared user credentials.

Voucher object

CredentialVault PortletService returns credentials in credential object format:

com.ibm.wps.portletService.credentialVault.credentials.credential

WebSphere Portal distinguishes negative and active credentials:

Negative credentials are voucher confidential containers: portlets using negative credentials need to extract confidentiality from the credentials and perform all authentication communications with the backend. Example: Negative Credential Object Using (Pseudo Code) Object UserSecret = Credential.getuserSecret ();

Activity credential object hides the portlet credential confidential and cannot extract it from the credential. As a replacement, the activity credential object provides a business method of all certification. Example: Activity credential object uses (Pseudo code) // log in to the backend system

Credential.login ()

/ / Get the authenticated connection to use

UrlConnection = Credential.GetAuthenticatedConnection ();

// Log out in the backend

Credential.logout ();

The second case allows portlets to trigger authentication for remote servers using standard mechanisms such as basic authentication, HTTP format, or POP3 authentication, or even do not need to know credential confidential. They can request a portal to represent them and then use the already certified connection. From a security point of view, Portlets are not in touch with the voucher, so there is no portlet that may violate any risk of security rules such as in the portlet session. Although it is impossible to always have an appropriate activity voucher class, it is the preferred type of the credential object to be used.

Register all the credential types available in all portals in the Voucher Type Registry. WebSphere Portal provides a small collection of credential types, but can easily register additional credential objects in the registry.

The credentials provided with the current release are:

Negative voucher object:

SimplePassive

This credential object stores confidential in the format of serialized Java objects. Since the current savvy service does not support binary large object (blob) confidential, this object is for future use only.

Userpasswordpassive

A pair of confidential credential objects in the format of the user identification / password.

JaassubjectPassive

Store confidential credential objects in the format of Javax.Security.Auth.Subject object. Again, this type of confidential cannot be stored by the insurance service service.

Activity credentials:

Httpbasicauth

This credential object stores user identity / password confidential and supports HTTP basic authentication.

HttpFormbasedAuth

This credential object stores user identity / password and supports authentication based on HTTP format.

JavaMail

The credential object that stores the user ID / password is paired and affects the authentication function of the Javax.mail API.

Store credential objects in portletations

Document objects do not implement java.io.serializable - they cannot be simply stored in portlets. This is the reason for security. Because the credential class stores the actual credential confidential as one of the dedicated properties, anyone who has access to the application application server session database can find confidential.

However, as long as it is not serialized in the cluster settings, you can store the credential object in the portletSession. One way to do this will define a credential container class that uses the actual credential object as an instantaneous member. You can then store this container object in the portletSession without any problems, just to ensure that you check if the credential object is lost during the serialization, and in this case it retrieves it again from the vault.

Example: Voucher Object Session Verer

Import com.ibm.wps.portletservice.credentialvault.credentials.credential; public class credentialsessionContainer imports java.io.serializable

{

PRIVATE TRENSIENTIAL CREDENTIAL = NULL;

Public void setcredential (Credential Cred) {this.credential = CRED;}

Public Credential getcredential () {return

Public Boolean Hascredential () {Return Credential! = NULL;}

}

Voucher Insurance Usage

There are two options that require credentials to accomplish their services:

With an existing slot, the slot has been defined by the portal administrator in the administrator. Create a slot in the user-managed fuse segment.

The selected option depends on how to use the portlet. Usually, the best solution hides the technical details of the user credentials. Here are some examples of using slots.

Internal network Lotus Notes Mail portlet

The company has an internal network employee portal. Each portal user has a Lotus Notes mail server account and deploys and pre-configured Lotus Notes mail portlets on a page of the Employee Default Portal.

Design solution:

NOTES mail portlets need to store users' Notes passwords. As most users actually use this portlet, the administrator needs to create a "Lotus Notes Credential Slot". Administrators use the portlet configuration to set the fuse slot identifier for all specific portlet instances. Portlet allows users to set up personal notes passwords in editing mode. Portlets can store the password for each user in the voucher insurance library.

Stock portlet

The company's purchase department runs a portal integrating different old applications. One of these applications is the large-scale normal application that is directly connected to the supplier system. Multiple employees use the sequencing portlet. However, the mainframe application is protected by a single system; it does not support multiple user accounts.

Design Solution: The sequencing portlet requires the system identification access to the order. During portlet deployment, administrators configure the secure bank ID. Therefore, the portal administrator creates a fuse slot in the vault of the administrator management, and marks it as a system credentials. Administrators use the voucher insurance portlet in this slot to store the order system identity and password. The employee of the purchase department does not have to care about the credentials.

Internet Mail Union POP3 portlet

The Internet Public Portal provides a portal user in other features that users can use to collect mail messages from a certain number of POP3 mail accounts.

Design Solution: Mail Union portlet is only another functional component of the public portal, so it may be used by some portal users. In addition, you don't know how many mail accounts need to be combined from outside. Therefore, it is meaningless to create a seclusion slot for the portlet. Instead, portlets provide a comfortable configuration for users in editing mode. Users can add all the required POP3 mailboxes. Portlet creates a secure bank for each user email address for the user manages the fuse segment.

In theory, users can configure two portlet instances on the page, one for a business account, another for a private mail account. So, because it is most impossible to share user mail vouchers with other portlets, the portlet created by the insurance library slot is dedicated to portlet.

The CredentialVaultImplementation.zip file contains the code section that uses the voucher insurance service in the WP_ROOT / DEV directory. This file also contains an illustration of an integrated this code to the portlet. Constructing code allows administrators to choose whether users can create their own seclusion slots for their credentials, and store their credentials in the administrator-defined slot, or use system credentials. The Credential_Vault_Readme.html file provides an instructions for administrators and can be used as the basis of the portlet documentation provided with the portlet. CredentialVaultService method

This section provides a main overview of the method of portlets that can be used by CredentialVaultService.

Getcredentialtypes

This method returns a list of credential types registered in the Voucher Type Registry.

The return value credential type returns in the format of the string object iterative.

Getslotdescription

This method returns a description of a slot in a specified language environment.

parameter

The sign of the slotid [string] slot. Locale [local] describes the language environment. If set is empty, the default locale will be used.

Return Value Description Returns in the format of the string object.

Abnormal portletServiceException: If you cannot retrieve a description, discard it.

Getaccessibleeslots

This method returns a list of all the slots used to portlet.

parameter

Request [PortletRequest] To determine the portlet identity, the Portlet application ID, the CredentialVault service requires the portlet request.

Return Value This description returns in the format of the Credentialslotconfig object iterative.

Abnormal portletServiceException: If you cannot retrieve a list of slots, discard it.

SetCredentialSecretBinary

This method sets a credential secret with binary credential data.

parameter

The sign of the slotid [string] slot. Secret [BYTE []] Secretary Document Data of binary format. Request [PortletRequest] To determine the portlet identity, the Portlet application ID, the CredentialVault service requires the portlet request.

Abnormal portletServiceException: If the voucher is not a binary type or cannot be set, it will be discarded.

SetCredentialSecretUserpassword

This method sets credential secrets with credential data with the user identity / password pair format.

parameter

The sign of the slotid [string] slot. UserID [String] Voucher user ID. Password [char []] credential password. Request [PortletRequest] To determine the portlet identity, the Portlet application ID, the CredentialVault service requires the portlet request.

Abnormal portletServiceException: If the voucher is not a binary type or cannot be set, it will be discarded.

Createslot

This method creates a new slot.

parameter

ResourceName [String] Resource Name. SegmentID [ObjectID] Create a slot of the object identity of the vault. Descriptions [MAP] Human understandable is understood from the description of the slot, and the key is generated by the description. A description - at least in the default locale - always only for the portlet private slot, the user is not possible to view this description, in which case it is set to empty. Keywords [MAP] describes the characteristics of the slot and a list of keywords that can be used for search. Secrettype [INT] CredentialVaultService confidential type defined in the constant. Active [Boolean] Initialize the configuration parameter map required for the credential object. Most voucher categories do not have these parameters (set by empty). See the credential class document for more information. The portletprivate [boolean] logo indicates that the slot is portlet monitizes or can be shared by other portlets. Request [PortletRequest] To determine the portlet identity, the Portlet application ID, the CredentialVault service requires the portlet request. Return Value This method returns the Credentialslotconfig object of the newly created slot.

Abnormal portletServiceException: If the voucher is not a binary type or cannot be set, it will be discarded.

getDefaultVaultSegmentID

Returns the ObjectID of the fuse segment that is default user-managed. There is currently only the slots managed by the user, so returns the identity of the user management segment.

Return Value This method returns the ObjectID of the seclusion segment of the default user management, if the default user management is not available, it is empty.

Abnormal portletServiceException: If you cannot retrieve the information of the insurance segment, discard it.

GetAllVaultSegments

Returns a list of all fuse segments.

Return Value This method returns all secure bars in the VaultSegmentConfig object list format.

Abnormal portletServiceException: If you cannot retrieve the information of the insurance segment, discard it.

Getcredential

This method retrieves a credential from the voucher insurance library.

parameter

The sign of the slotid [string] slot. Secrettype [INT] CredentialVaultService confidential type defined in the constant. Config [MAP] Initialize the configuration parameters required for the voucher object. Most voucher categories do not have these parameters (set by empty). See the credential class document for more information. Request [PortletRequest] To determine the portlet identity, the Portlet application ID, the CredentialVault service requires the portlet request.

Return Value This method returns the Credentialslotconfig object of the newly created slot.

abnormal

PortletServiceException is discarded if the credential confidential is not a binary type or cannot be set. CredentialSecretNotSETEXCEPTION If no respective credential secret is set, then discard. If there is a problem with the credentials are user credentials, the portlet should re-operate the exception by prompting the user to obtain the credential data to call the respective setCredential () method.

GetUsersubject

This method returns the user JaaS object. This is a special example of getCredential call.

parameter

Request [PortletRequest] To determine the portlet identity, the Portlet application ID, the CredentialVault service requires the portlet request.

Return Value This method returns the Credentialslotconfig object of the newly created slot. Abnormal portletServiceException: If the voucher is not a binary type or cannot be set, it will be discarded.

Example: Accepting credentials from a fuse

Below is a portlet example of logging in to a web application protected by a user ID / password credential to a web application protected by a login page based on an HTTP form. Example shows how to read credentials from the secluence of CredentialVaultService and how to use this credential. It does not display how the portlet is inquiry in the portlet to query the user to get his / her confidentiality and store it in the fuse.

Example: portlet and httpformasedAuthcredential Using CredentialVault PortletService

Import org.apache.jetspeed.portlet.service.portletServiceException;

Import com.ibm.wps.portletservice.credentialvault.credentialvaultService;

Import com.ibm.wps.portletService.credentialVault.credentialsecRetNotseTexception;

Import com.ibm.wps.portletService.credentialVault.credentials.httpFormbasedAuthCredential;

...

Public Void DoView (PortletRequest Request, PortletResponse Response)

Throws portletException, IOException

{

// Get Output Stream and Write out the results

PrintWriter Writer = response.getwriter ();

// Get The CredentialVault PortletService

PortletContext Context = this.getPortletConfig (). GetContext ();

CredentialVaultService Service =

CredentialVaultService) Context.getService (CredentialVaultService.Class);

// Retrieve Slotid from Persistent Portlet Data

String slotid = (string) Request.getdata (). GetAttribute ("Vaulttestslotid);

IF (slotid == NULL) {

Writer.println ("

Credential Not Found. Please set it in the edit mode! ");

Return;

}

// Bundle The Credential Config Data

Hashmap config = new hashmap ();

Config.put (httpformBasedAuthcredential.Key_Userid_attribute_name, "userid");

Config.put (httpformasdauthcredential.key_password_attribute_name, "password");

Config.put (httpformasdaut ";" Eai.Yourco.com/login.jsp "); config.put (httpformBasedAuthcredential.Key_Logout_URL," Eai.Yourco.com /quit.jsp ");

Config.put (httpformasdauthcredential.key_use_auth_cookies, boolean.true);

// Get The Actual Credential from the Credential Vault

HttpFormbasedAuthcredential Credential;

Try {

Credential = (httpformBasedAuthcredential)

Service.getcredential (Slotid, "HttpFormbasedAuth", Config, Request;

} catch (portletServiceException serviceExc) {

Writer.println ("

Credential Vault Error, please contact Your Admin! ");

Return;

} catch (credentialsecretnotsetException useXEREXC) {

Writer.println ("

Credential Not Set. Please set it in the edit mode! ");

Return;

}

Try {

// Use Credential Object To log in turnend server

Credential.login ();

// Get An Authenticated Connection to the Backend Server and Send The Actual Request

CONNECTION = Credential.GetAutAuthenticatedConnection ("Eai.Yourco.com/request.jsp");

// Work with the connection: send an http get or post and evalent the response

[...] // Your Business Code

// Use Credential Object to log out at the backend server

Credential.logout ();

} catch (ioException eXC) {

Writer.println ("

Single-Sign-on Error, Login At Backend Failed! ");

Return;

}

// Get Output Stream and Write out the results

PrintWriter Writer = response.getwriter ();

}

Use other credential insurance libraries

You can use the savan of WebSphere Portal or provide your own implementation. The voucher insurance service allows you to connect the portal to other savvy through a write savor adapter. Each fuse is implemented in your own seclusion adapter and portal. In addition to the savva adapter, Portal Server must be configured to use the new firing. See the voucher insurance library for more information.

Below is an example of a seclusion adapter, a MemoryVault, which extends the VaultAdapter class. Use the following criteria when you write your own seclusion adapter. All abstract methods are required. Alternatively, if their adapters need to be initialized or terminated, they may reset the init () and destroy () methods. For the WebSphere Portal to load the adapter, there must be a common, non-variable constructor. Among them, the setversion () method should be called to set the description of the fuse adapter.

Insurance adapter example

/ * @copyright sample * /

Package com.ibm.wps.sso.vaultService;

Import com.ibm.logging. *;

Import com.ibm.logging.mgr. *;

Import java.util.iterator;

Import java.util.hashtable;

Import com.ibm.wps.puma.user;

Import com.ibm.wps.util.databackendexception;

Import com.ibm.wps.sso.vaultService.exceptions. *;

Import com.ibm.wps.sso.credentialvault.secrets.credentialsecret;

/ **

* In Memory Sample Vault. It Uses a Hashtable of Hashtables To Store THE

* CREDENTIALS

*

* 



* Licensed Materials - Property Of IBM, 5724-B12, (C) Copyright IBM Corp. 2002


*


* DiscLaimer of Warranties:


* -------------------------


* The folload [encluded] code is sample code created by ibm corporation.


* This Sample Code is provided to you solely for the purpose of associSTING


* You in the development of your applications.


* The code is provided "as is", WITHOUT WARRANTY OF ANY KIND. IBM Shall


* NOT BE LIABLE for Any Damages Arising Out of Your Use of the sample code,


* Even if They Have Been Advised of The Possibility of Such Damages.


* 


* /


Public class memoryvault extends vaultadapter {


/ ** Copyright * /


Private static final string copyright =


"Licensed Materials - Property Of IBM, 5724-B12, (C) Copyright IBM CORP. 2002"


/ ** Version string * /


Private final static string version =


"WebSphere Portal Sample Memory Vault 1.0";


/ ** supported secret type * /


Private final static int [] supported_secrets = {CREDENTIALSecret.Type_Userid_string_password_string};


/ ** Resource HashTable * /


PRIVATE HASHTABLE RESOURCES = NULL;


/ **


* Init Routine. Sets the version string


*


* @Param String Configuration FileName


* @return true if initialization succeeded, false if initialization failed.


* /


Public Boolean Init (String ConfigfileName) {


// set the Version


SetVersion (Version);


// Create The Resource Hashtable


Resources = new hashtable ();


Return (TRUE);


}


// resource methods..


/ **


* Adds a resource of the given name to the vault.


*


* @Param Resource Resource Name to create


* @Throws DataBackendexception Problem Communicating with the THE


* Backend Vault or the Resource Could Not Be


* Added


* /


Public void createresource (String Resource)


Throws DataBackendexception {


// add it if we don't have it


IF (! (!))))


Resources.put (resource, new hashtable ());


} else {


Throw (New DataBackendexception ("The Resource Already Exists);


}


}


/ **


* Deletes the specified resource from the vault.


*


* @Param Resource Resource Name to Delete


* @Throws DataBackendexception Problem Communicating with the THE


* Backend Vault or if The Resource Could Not


* Be deleted


* /


Public void deleteresource (String Resource)


Throws DataBackendexception {


// Remove The Resource from the hashtable


IF (ContainSResource (resource)) {


Resources.remove (resource);


} else {


"New DataBackendexception (" The Resource Does Not Exist);


}


}


/ **


* TELLS IF The Vault Contains The Specified Resource.


*


* @Param Resource Resource Name


* @Return True if The Vault Has The Resource, False Otherwise


* /


Public Boolean ContainsResource (String Resource) {


Return (resource));


}


/ **


* Returns a list of resources


*


* @Return Iterator of Resources


* /


Public iterator listresources () {


Return (Resources.Keyset (). Iterator ());


}


/ **


* Returns an Array of Integers of The Supported Secret Types


*


* @see credentialsecret


* @Return Array Of Supported Secret Types


* /


Public int [] getsupportedsecrettypes () {


Return (Supported_Secrets);


}


/ **


* Tells if the specified secret type is supported


*


* @Param Int Secrettype to Check


* @see credentialsecret


* @Return True if The Secret Type Is Supported, False Otherwise


* /


Public Boolean ISsecrettypeSupported (Int SecretType) {


For (int i = 0; i 

IF (Secrettype == Supported_secrets [i]) {


Return (TRUE);


}


}


// not supported.


Return (False);


}


// Credential Operation methods.


/ **


* Adds a mapped credential of the provided secret type under the


* Specified resource.


*


* @Param Secret Credential Secret To Add


* @Param User user object


* @Param Resource Resource To Add The Credential Under


* @Throws SecretTypenotsupportedException The Provided Secret Type IS


* Not supported.


* @Throws DataBackendexception Problem Communicating with the THE


* Backend Vault or the Credential Could Not


* Be Added


* /


Public void addcredential (Credentialsecret Secret,


User User,


String resource)


THROWS SecrettypenotSupportedException,


DATABACKENDEXCEPTION {if (! (ISsecrettypeSupported (secret.gettype ()))) {


Throw (New SecretTypenotsupportedException ("Secret Type /"   Secret.gettype ()   "/" Is Not Supported ");


}


// do WE HAVE THIS RESOURCE?


IF (ContainSResource (resource)) {


// Get the hash for this resource


Hashtable Credentials = (Hashtable) resources.get (resource);


// add the secret


Credentials.put (user.getid (), secret);


} else {


"New DataBackendException (" The Credential Could Not Be Added, The Resource Does Not Exist);


}


}


/ **


* Modifies a mapped credential of the provided secret type under the


* Specified resource.


*


* @Param Secret New Credential SECRET


* @Param User user object


* @Param Resource Resource to Modify The Credential Under


* @Throws SecretTypenotsupportedException The Provided Secret Type IS


* Not supported.


* @Throws DataBackendexception Problem Communicating with the THE


* Backend Vault or if The Credential Was NOT


* Found


* /


Public void modifycredential (Credentialsecret Secret,


User User,


String resource)


THROWS SecrettypenotSupportedException,


DataBackendexception {


IF (! (iSsecrettypeSupported)))))


Throw (New SecretTypenotsupportedException ("Secret Type /"   Secret.gettype ()   "/" Is Not Supported ");


}


Boolean EXISTS = FALSE;


// do WE HAVE THIS RESOURCE?


IF (ContainSResource (resource)) {


// Get the hash for this resource


Hashtable Credentials = (Hashtable) resources.get (resource);


// does the user has an entry?


IF (Credentials.Containskey (user.getid ())) {


// Change the secondcredentials.put (user.getid (), secret);


EXISTS = TRUE;


}


}


IF (! exists) {


New DataBackendexce ("The Credential Was Not Found");


}


}


/ **


* Deletes a mapped credential of the provided secret type under the


* Specified resource.


*


* @Param SecretType Secret Type


* @Param User user object


* @Param Resource Resource to Delete the Credential Under


* @Throws SecretTypenotsupportedException The Provided Secret Type IS


* Not supported.


* @Throws DataBackendexception Problem Communicating with the THE


* Backend Vault or the Credential Was NOT


* Found


* /


Public void deletecredential (int SecretType,


User User,


String resource)


THROWS SecrettypenotSupportedException,


DataBackendexception {


IF (! (iSsecrettypeSupported (Secrettype))) {


Throw (New SecretTypenotsupportedException ("Secret Type /"   SecretType   "/" Is Not Supported ");


}


Boolean EXISTS = FALSE;


// do WE HAVE THIS RESOURCE?


IF (ContainSResource (resource)) {


// Get the hash for this resource


Hashtable Credentials = (Hashtable) resources.get (resource);


// does the user has an entry?


IF (Credentials.Containskey (user.getid ())) {


// change the secret


Credentials.Remove (user.getid ());


EXISTS = TRUE;


}


}


IF (! exists) {


New DataBackendexce ("The Credential Was Not Found");


}


}


/ **


* RETRIEVES a mapped credential of the provided secret type under the


* Specified resource.


*


* @Param int SECRET TYPE


* @Param User user object


* @Param Resource Resource to Delete the Credential Under


* @Return Credentialsecret Containing The Mapped Credentials * @Throws SecretTypenotsupportedException The Provided Secret Type IS


* Not supported.


* @Throws DataBackendexception Problem Communicating with the THE


* Backend Vault or if The Credential Does


* NOT EXIST


* /


Public CredentialSecret Getcredential (int SecretType,


User User,


String resource)


THROWS SecrettypenotSupportedException,


DataBackendexception {


IF (! (iSsecrettypeSupported (Secrettype))) {


Throw (New SecretTypenotsupportedException ("Secret Type /"   SecretType   "/" Is Not Supported ");


}


Credentialsecret Secret = NULL;


// do WE HAVE THIS RESOURCE?


IF (ContainSResource (resource)) {


// Get the hash for this resource


Hashtable Credentials = (Hashtable) resources.get (resource);


// does the user has an entry?


Secret = (CREDENTIALSecret) Credentials.get (user.getid ());


}


IF (null == secret) {


New DataBackendexce ("The Credential Was Not Found");


}


Return (SECRET);


}


}


Use JAAS to retrieve user credentials


Single sign-in support in WebSphere Portal allows users to communicate with many different backend systems via portalet without passing by portalet, without having to enter usernames and passwords multiple times by each other portlet. WebSphere Portal Internal Using Java Authentication and Authorization (JAAS) APIs to log in to portlets for integrated single point and provide frameworks through these portlets to the backend application.


After the user is certified, WebSphere Application Server generates a security context for the user. WebSphere Portal uses this security context to set the JAAS topic that contains multiple subjects and dedicated credentials inside the portal.


When the portal processes the HTTP request, it will set the JAAS topic and allow it to be used as a user property, and the portlet can be accessed from the portletSession object. From the topic, portlets can use one of the following methods to extract the subjects and credentials to be passed to its backend application.


Getprincipals


Java.lang.class)


Category is optional. If you do not specify an argument, this method returns a collection of all subjects. use


The class.Forname (Name) method generates a class of variables for GetPrincipals. Please refer to the following example. PortletContext Context = this.getPortletConfig (). GetContext ();


CredentialVaultService Service = (CredentialVaultService) Context.getService (CredentialVaultService.class);


Subject Subject = Service.getusersubject (portletRequest);


// get the user dn


Set set = Subject.getPrincipals (Class.Forname ("com.ibm.wps.sso.us.userdnprincipal");


Userdnprincipal Userdn = NULL;


IF (set.hasnext ()) {


Userdn = (UserDnprincipal) set.next ();


// Got IT, Print Out What IT Contains.


System.out.println ("The User DN IS"   Userdn.getName ();


}


Here are some class names that can be used with class.forname ().


com.ibm.wps.sso.userdnprincipal


Return to users from LDAP


com.ibm.wps.sso.groupDnprincipal


Returns the proprietary name of the LDAP group (user is the member of the group). GroupDnPrincipals instance number is the same as the number of LDAP groups belonging to the user.


com.ibm.wps.sso.useridprincipal


Returns only when the authentication agent is not used, the user uses it to log in to the portal.


com.ibm.wps.sso.passwordcredential


Returns the user using it to log in to the password of the portal. Only when the authentication agent is not used.


All subjects from Java.Security.PrIncipal from standard JDK. Portlet call getName () extracts the information contained in these mains. Before the portlet can extract any information from the subject, it must first get the portletSession, then the User, and finally the subject.


GetPrivatecredentials


Java.lang.class)


Category is optional. If you do not specify an argument, this method returns a collection of all privatecredentials. In addition to using


Class.Forname (Name) Gets a Class object from the class name string of this method. To get the user's CORBA credentials, please


Org.omg.securityLevel2.credentials is specified as


Class.Forname () of the argument.


Basic certification sample


The next example demonstrates how to extract the topic from portletations, and then extract the username and password from the topic. Next, portlet creates a basic authentication header and attempts to connect to the basic authentication protected URL. The URL is specified as the configuration parameters in the portlet.xml. For the output, it displays the result of the username, password, and connection attempt.


In the service () method, the JAAS topic is extracted from CredentialVaultService.


Import java.io. *;


Import java.net. *;


Import java.util. *;


Import java.security. *;


Import javax.security.auth. *; // for the jaas subjectimport com.ibm.wps.sso. *; // for the principals contained in the Subject


Import com.ibm.wps.portletservice.credentialvault.credentialvaultService; // for the Credential Service


Import com.ibm.ejs.security.util.base64coder;


Import org.apache.jetspeed.portlet. *;


Import org.apache.jetspeed.portlets. *;


Public class urlssosampleportlet extends Abstractportletlet {


/ ** URL TO Access * /


PRIVATE STRING URLSPEC = NULL;


/ **


* Initialization Routine


*


* @Param PortletConfig Portlet Configuration


* @Throws UnavailableException


* /


Public void init (PortletConfig portletconfig)


Throws unavailableException {


Super.init (portletconfig);


// Get the URL


Urlspec = portletconfig.getattribute ("URL");


}


/ **


* Retrieves The Specified Principal from The Provided Subject


*


* @Param Subject SUBJECT


* @Param String Class Name


* @Return the value of the principals for the given class name, nulliff


* Nothing Was Returned


* @Throws portletException An error Occurred Retrieving The Principal


* /


Private string [] getprincipalsfromsubject (Subject Subject,


String classname)


Throws portletException {


Try {


// Get the set of principals


Object [] Principals =


Subject.getPrincipals (Class.Forname (ClassName)). TOARRAY ();


// do we have any?


IF (NULL == Principals) || (0 == Principals.length)) {


// no principals of this class name


Return (NULL);


}


// Create the string array to hold the value


String [] VALUES = New String [Principals.Length];


// Populate the VALUES ARRAY


For (int current = 0; current 

VALUES [CURRENT] = ((Principal) Principals [current]). GetName ();


Return (VALUES);


} Catch (ClassNotFoundException CNFE) {


Throw (New PortletException ("Class"   ClassName   "Could Not Be Found",


CNFE));


}


}


/ **


* Extracts the userid and password from the jaas subject, creates a Basic


* Auth header from it, and then connects to the resource.


*


* @Param PortletRequest Request Object


* @Param PortletResponse Response Object


* @Throws portletException


* @Throws ioException


* /


Public Void Service (PortletRequest PortletRequest,


PortletResponse PortletResponse)


Throws portletException,


IOEXCEPTION {


// Get The Writer from the response


PrintWriter Writer = portletResponse.getwriter ();


PortletContext Context = this.getPortletConfig (). GetContext ();


CredentialVaultService Service = (CredentialVaultService) Context.getService (CredentialVaultService.class);


Subject Subject = Service.getusersubject (portletRequest);


// grab the userid and password. There. There. There. There. There


// contained in the subject.


String [] userid = getprincipalsfromsubject (Subject,


"com.ibm.wps.sso.useridprincipal");


String [] password = getprincipalsfromsubject (Subject,


"com.ibm.wps.sso.Passwordcredential");


// THE URL


Writer.println ("
");
Writer.println ("


   URL:   "   urlspec  


" ");


// Show the userid and password


Writer.println ("
   userid:   "   UserId [0]  


" ");


Writer.println ("
   password:   "   password [0]   " ");


// Create the Basic Auth Header


String Basicauth = base64coder.base64encode (userid [0]  


":"    


Password [0]);


Basicauth = "Basic"   BasicAuth;


Writer.println ("
   Basic Auth Header:   "  


BasicAuth  


" ");


Writer.println (" 
");


// Create the url forur protected resource, and get a urlConnection


Try {


URL URL = New URL (URLSPEC);


HTTPURLCONNECTION Con = (httpurlconnection) URL.OpenConnection ();


// set out yur baraspecially header


Con.SetRequestProperty ("Authorization", BasicAuth;


// connect


C.Connect ();


// Get The Response Code


String responseMessage = con.getResponseMessage ();


Int responsecode = con?getResponsecode ();


// WERE WE SUCCESSFUL?


IF (httpurlconnection.http_ok ​​== responsecode) {


Writer.println ("
 successful all"  


URLSPEC   "! ");


} else {


Writer.println ("
 Unable to successfully connect to"  


URLSPEC   ", http response code ="  


Responsecode  


", Http Response message = /" " 


ResponseMessage   "/"  ");


}


} catch (exception e) {


Writer.println ("
 Exception Caught in HTTP Connection:  );


Writer.println (E.GetMessage ());


E.PrintStackTrace (Writer);


Writer.println ("");


}


}


}


LTPA example


Lightweight Third Party Authentication (LTPA) is a mechanism for providing single sign-on between WebSphere Application Server and Domino Server in the same security domain. The LTPA tag is executed as a cookie in the HTTP request. This section example assumes that the portlet access is the protected resource on WebSphere Portal's WebSphere Application Server installed. If the resource resides on another WebSphere Application Server or Domino Server, enable single sign-on between them.


Extract LTPA tag


Object [] temp =


Subject.getPrivatecredentials (LTPATOKENCREDENTIAL.CLASS) .toarray ();


LTPATOKENCREDENTIAL LTPATOKEN = (LTPATOKENCREDENTIAL) TEMP [0];


// Create The LTPA Cookie Header


String cookie = "ltpatoken ="   ltpatoken.getToKenString ();


// Create the url forur protected resource, and get a urlConnection


URL URL = New URL ("http://myserver.example.com/ltpa_protected_resource");


HTTPURLCONNECTION Con = (httpurlconnection) URL.OpenConnection ();


// setur LTPA token cookie


Con.SetRequestProperty ("cookie", cookie;


// connect


C.Connect ();


Access Manager example


This example describes how to retrieve user credentials when portlet is running an Access Manager for an authenticated environment. See Configuring IBM Tivoli Access Manager for more information.


The connection between the WebSEAL server and the WebSphere Application Server is the node. The WebSEAL node allows other server file systems to web space and view resources as a single, unified object space. Access Manager provides a mechanism through WebSeal to provide single sign-on between each node by using session cookies. To achieve this goal, WebSEAL must be the authentication server that protects WebSphere Portal and WebSEAL protected portlets must reside in the same Access Manager domain as Portal Server.


Websealloginmodule places WebSEALCREDENTIAL in JASS topics for logging in. Websealcredential has PD-S-session-ID, PD-H-session-ID and PD-ID cookies. Not all cookies can exist in the request, so if they do not display, WebSEALCREDENTIAL will return empty in its call. For example, if Access Manager does not provide authentication, all of these calls will return empty. Portlets should only return to non-empty values ​​for one of these Getter methods:


Method for extracting the extraction value in the cookie name aalcredential PD-S-session-idGETPDSSessionID () PD-H-SESSION-IDGETPDHSESSIONID () PD-IDGETPDID () The following sample extracts WebSEALCREDENTIAL from JASS topics, and prints the content of each cookie.


Extract WebSEAL voucher


// 's GET..


Object [] CREDs =


Subject.getPrivatecredentials (WebSEALCREDENTIAL.CLASS) .Toarray ();


IF (1! = CReds.length) {


Writer.println ("
 NO Webseal Credential Found... ");


Return;


}


// Cast It..


Websealcredential Websealcredential = (WebSEALCREDENTIAL) CREDS [0];


//Print out the intencersting stuff.


Writer.println ("
 WebSEALCREDENTIAL Information:  / n ");
Writer.println ("


  PD-S-session-id  "  


Websealcredential.getpdssessionId ()   " ");


Writer.println ("
  PD-H-session-id  "  


Websealcredential.getPDHSessionID ()   " ");


Writer.println ("
  PD-ID  "  


WebSEACREDENTIAL.GETPDID ()   " ");


Writer.println ("");


Related Information


HTTP proxy configuration Writing portlet

转载请注明原文地址:https://www.9cbs.com/read-93136.html
9cbs
New Post(0)

    



CopyRight © 2020 All Rights Reserved
                


Processed:
0.035, SQL:
                9