- Create a custom TAI for WebSphere Portal
- Install the TAI on the server
- Create a simple PGP security class
In the final part of this series, we'll examine how to use the PGP class in our custom TAI.
Updated code:
package test.security.tai;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.security.pgp.PGPSSOUtil
/**
* Custom Login Module
*
* Project imports the jar wssec.jar for development purposes.
* Found in the server runtime lib directory ($irad_home$\runtimes\base_v6\)
*
*
**/
public class CustomPortalTAI implements TrustAssociationInterceptor
{
private static final String VERSION = "Custom TAI version 1.0 \n Author: SirCrofty \n " + "Last Updated: March 1, 2008";
private static final String TYPE = "--- Custom TAI --- \n Custom Trust Assocation Interceptor for WebSphere Portal Application";
HashMap sharedState = null;
/**
* Constructor
*
**/
public CustomPortalTAI()
{
sharedState = new HashMap();
}
/**
* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#initialize(java.util.Properties)
* @param arg0
* @return
* @throws com.ibm.websphere.security.WebTrustAssociationFailedException
*
**/
public int initialize(Properties props) throws WebTrustAssociationFailedException
{
return 0;
}
/**
* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#isTargetInterceptor(javax.servlet.http.HttpServletRequest)
* @param arg0
* @return
* @throws com.ibm.websphere.security.WebTrustAssociationException
*
**/
public boolean isTargetInterceptor(HttpServletRequest req) throws WebTrustAssociationException
{
System.out.println("*********** Custom TAI ******************");
System.out.println("Determining if this TAI should handle the incoming request...");
if (req.getParameter("customUser") != null)
{
System.out.println("Custom TAI is being used to establish trust!");
return true;
}
System.out.println("Bypassing Custom TAI, did not find a user ID in the request");
return false;
}
/**
* (non-Javadoc)
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#negotiateValidateandEstablishTrust(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
* @param arg0
* @param arg1
* @return
* @throws com.ibm.websphere.security.WebTrustAssociationFailedException
*
**/
public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest req, HttpServletResponse resp)
throws WebTrustAssociationFailedException
{
String encryptId = req.getParameter("customUser");
try
{
PGPSSOUtil util = new PGPSSOUtil();
// assume the user id has been encrypted and then converted to Hex encoding
byte[] unHexBytes = util.convertHexStringToByteArray(encryptId);
// use the keys referenced in PGPSSOUtil to decrypt the userId
userId = util.decryptId(unHexBytes);
}
catch (Exception e)
{
return TAIResult.create(HttpServletResponse.SC_FORBIDDEN, userId);
}
return TAIResult.create(HttpServletResponse.SC_OK, userId);
}
/**
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#cleanup()
*
*
**/
public void cleanup()
{
sharedState = null;
}
/**
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getType()
* @return
*
**/
public String getType()
{
return TYPE + " \n " + this.getClass().getName();
}
/**
*
* @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getVersion()
* @return
*
**/
public String getVersion()
{
return VERSION;
}
}
The parts of interest here are the changes to the negotiateValidateandEstablishTrust method.
We've replaced the conditional that checks the user name value against a constant to instead use the encrypted user id passed in the request. Assuming the id decrypts correctly (userId = util.decryptId(unHexBytes);), we'll pass the userId along to the Portal itself for authorization. If the user name does not encrypt correctly, than the decryption will fail, an exception will be thrown, and a Forbidden access message will be displayed. In this way, we use the security and access controls already built into WebSphere Portal to handle the rest of the job once we have an acceptable user id.
The only other thing to note is the decoding of the hashed user id from Hex. This is done to because we are assuming the user id has been hex encoded so that it can be passed around while avoiding a bunch of special characters.
This series should hopefully give you a jump on how to create a simple SSO solution for WebSphere Portal. For production purposes, there would be other considerations, such as the storage of the PGP key files and how to determine the location of the trusted sender, but this should get you started in the right direction.
good explanation. Could you also make 'forward links' so I can read on after article 1 and not move back from 4 ;-)
ReplyDelete