Websphere Liberty Profile and J2C AuthData retrieval via Java API

Question

In full version of Websphere you can define JAAS Authentication Entries. Those entries has unique ID, username and password. Usually those are bounded to other configuration entries in WAS, for instance DataSource configurations.

But sometimes you need to access J2C records straight from application code via API. There are couple of post here explaining how to do it in WAS. Usually what you do is:

LoginContext loginContext = new LoginContext("DefaultPrincipalMapping", callbackHandler);
loginContext.login();

It does indeed work in WAS via JCA API, but not in Websphere Liberty Profile. Is there any way to access J2C AuthData in Websphere Liberty Profile? What is minimum configuration required to setup J2C in server.xml for the purpose?

We have something like:

<featureManager>
    <feature>appSecurity-2.0</feature>
</featureManager>
<authData id="someAppCredentials" user="someUser" password="some Password"/>
<jaasLoginContextEntry id="DefaultPrincipalMapping" name="DefaultPrincipalMapping" loginModuleRef="userNameAndPassword"/>

but it is clearly not enough since WLP throws: javax.security.auth.login.LoginException: No LoginModules configured for DefaultPrincipalMapping if you try to do loginContext.login().

In the case you don't get an answer here, you might want to ask at https://developer.ibm.com/answers/?community=wasdev WLP development team is around there and they are quite responsive. — ﾤﾡ, Jun 17 '14 at 10:41

score 1 · Answer 1 · answered Oct 28 '16 at 08:58

Looks like this feature has been added since version 8.5.5.9.

For more details see: Developing a programmatic login for obtaining authentication data

You will need the following features in server.xml:

<featureManager>
   <feature>appSecurity-2.0</feature>
   <feature>passwordUtilities-1.0</feature>
   <feature>jca-1.7</feature>
</featureManager>

Then define your alias:

<authData id="myAuthData" user="myUser" password="myPassword"/> <!-- password can also be encoded -->

Then access it in the code:

HashMap map = new HashMap();
map.put(com.ibm.wsspi.security.auth.callback.Constants.MAPPING_ALIAS, "myAuthData"); // Replace value with your alias.
CallbackHandler callbackHandler = new com.ibm.wsspi.security.auth.callback.WSMappingCallbackHandler(map, null);
LoginContext loginContext = new LoginContext("DefaultPrincipalMapping", callbackHandler);
loginContext.login();
Subject subject = loginContext.getSubject();
Set<javax.resource.spi.security.PasswordCredential> creds = subject.getPrivateCredentials(javax.resource.spi.security.PasswordCredential.class);
PasswordCredential passwordCredential = creds.iterator().next();

String userName = passwordCredential.getUserName();
char[] password = passwordCredential.getPassword();
// Do something with the userName and password.

Ajay · Answer 2 · 2014-07-08T13:40:48.210

0

At this time, the DefaultPrincipalMapping is not supported in the Liberty profile. There is no API for an application to call and get this information. This is something that might be considered in a future release.

edited Jul 08 '14 at 13:40

answered Jul 08 '14 at 13:14

Ajay

201
1
2

Is this still up to date? I would like to use same feature, but could not found any examples or hints how to do. – veote Sep 30 '14 at 12:45
Of course they don't... why am i not surprised.. the one thing i need. – Nick H Aug 20 '16 at 03:30
@veote looks like it is now available. – Gas Oct 28 '16 at 08:59

Websphere Liberty Profile and J2C AuthData retrieval via Java API

2 Answers2