1

I've got two application running within single instance of WAS 7.0 server, one of which is IBM Business Space (which is irrelevant in this case, but anyway), another one is a RESTful service I'm developing. Both apps interact with the FileNet Content Engine. I know that the Business Space uses JAAS to leverage authentication and authorization tasks and so does mine service. Requirements is, while accessing the service, to perform requests to the FileNet from within the service using the security token of the user who's already been logged in to the Business Space. I don't have deep understanding of JAAS mechanism and may be mistaken but quick google search says that it is possible to obtain JAAS Subject of the logged-in user and pass it to UserContext of my service. The code I'm using is following:

if (userContext == null) {
    userContext = UserContext.get();
    if (userContext.getSubject() == null) {
        LoginContext loginContext = new LoginContext("config");
        loginContext.login();
        userContext.pushSubject( loginContext.getSubject() );
    }
}
UserContext.set(userContext);

Corresponding JAAS Configuration file:

config {
    com.filenet.api.util.WSILoginModule required;
};

I have the following questions:

  • Should I pass a callback handler to the LoginContext constructor provided I don't want to prompt a user to enter credentials if he hasn't been logged-in to the Business Space app?
  • Do I have to tweak any of the WAS settings to make this scenario work?

UPDATE

I've set:

  • BASIC auth method in the web.xml to prompt user for credentials using browser-specific dialog
  • path to the jaas.conf file specifing which implementation of the LoginModule class to use

When I test this solution, it fails with the following error:

javax.security.auth.login.LoginException: Error: no CallbackHandler available to get authentication information

Provided a callback authorization succeeds, which means that for some reason service cannot retrieve the required JAAS Subject.

What am I missing?

Also, I came across the following statement on the IBM website:

One of the advantages inherent to the EJB transport layer is the ability to leverage Java™ Authentication and Authorization Service (JAAS)-based authentication.

It doesn't state, however, that it's impossible to leverage JAAS while using WS transport. Or does it?

ᄂ ᄀ
  • 5,669
  • 6
  • 43
  • 57
koss
  • 874
  • 1
  • 10
  • 22

1 Answers1

0

You're right, since you already have user info you don't need callbacks (which are used in form-based authentication). As fas as WAS settings are concerned, you'll have to decide that one yourself. Here is a very good tutorial.

But have you considered using simpler, SSO mechanism to persist the auth. context between WAS profiles/servers?

Marko Bonaci
  • 5,622
  • 2
  • 34
  • 55
  • Thanks for this article, I read it and I've already got JAAS config defined, yet authorization doesn't work. As for your suggestion about SSO, I don't think it is simplier - for the two application working within the same app container SSO solution is kind of excessive. – koss Jun 11 '13 at 05:34
  • I thought you were using different WAS profiles (then SSO boils down to exporting and importing ltpa token). BTW, FileNet CE uses JAAS only for authentication. For authorization, CE uses LDAP that you defined when you installed it. – Marko Bonaci Jun 11 '13 at 11:02
  • @mbonaci It is confusing to contrast the use of JASS and LDAP for authentication/authorization. In some regard LDAP is used for both. It is true however that JAAS is not used for authorization checks. – ᄂ ᄀ Jul 21 '13 at 12:58
  • @fnt I wasn't comparing nor was I contrasting JASS to LDAP in general, cuz', I agree, that wouldn't make much sense. Thanks for clarifying that, though. – Marko Bonaci Jul 21 '13 at 19:46