ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wssectrustid.htm

84 lines
6.0 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Trusted ID evaluator</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="wssectrustid"></a>Trusted ID evaluator</h6>
<p>Trusted ID evaluator (com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator) is a abstraction of the mechanism that evaluates whether the given ID name is trusted. Depending upon the implementation, various types of infrastructure can be used to store a list of the trusted IDs are stored, such as:</p>
<ul>
<li>Plain text file</li>
<li>Database</li>
<li>LDAP server</li>
</ul>
<p>The trusted ID evaluator is typically used by the ultimate receiver in a multi-hop environment. The Web services security implementation invokes the trusted ID evaluator and passes the identity name of the intermediary as a parameter. If the identity is evaluated and deemed trustworthy, the procedure continues. Otherwise, an exception is thrown and the procedure is aborted.</p>
<p><strong>Trusted ID evaluator default implementation</strong></p>
<p>A trusted ID evaluator is used to determine if a given identity (ID) name is trusted. Trusted ID evaluators are implemented by providing a class that implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface.</p>
<p>The default implementation of a trusted ID evaluator is com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl. This implementation is initialized with a list of trusted identity names. You can use <tt>trustedId_<em>n</em></tt> as the property key name (where <em>n</em> is an integer greater than 0) to specify a list of trusted identities in the properties. When a name is to be evaluated, it is passed to the evaluate() method. The name is checked against the list of trusted names and returns <tt>true</tt> if it is in the list (this means it is trusted) and <tt>false</tt> if it is not in the list (this means it is not trusted). The trusted identities are specified as TrustedIDEvaluator properties of the Web Services Security binding file (ws-security.xml or ibm-webservices-bnd.xmi).</p>
<p><strong>Developing a trusted ID evaluator</strong></p>
<p>Perform the following steps to develop your own trusted ID evaluator:</p>
<ol>
<li><p>Define the trusted ID evaluator class method. WebSphere Application Server - Express provides the trusted ID evaluator interface, com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator, which defines the following methods:</p>
<ul>
<li><p><tt>public void init(java.util.Map map) throws SoapSecurityException</tt>
<br>This method initializes the object. The parameter map object contains name and value pairs.</p>
<p>These pairs are specified in the WebSphere administrative console. Click <strong>Application Servers --&gt; <em>server_name</em> --&gt; Web Services: Default bindings for Web Services Security --&gt; Trusted ID Evaluators --&gt; <em>trusted_ID_evaluator_name</em> --&gt; Properties --&gt; New</strong>, where <em>server_name</em> is the name of your server and <em>trusted_ID_evaluator_name</em> is the name of your implementation.</p></li>
<li><p><tt>boolean evaluate(String id) throws TrustedIDEvaluatorException</tt>
<br>This method evaluates whether the received ID is trusted. The parameter object is an ID that must be evaluated. You can specify the realm as &quot;id@realm&quot;. The method returns a <tt>true</tt> value if the ID is trusted, otherwise, it returns a <tt>false</tt> value.</p></li>
</ul>
<p>You must configure the following methods that are implemented by the custom trusted ID evaluator implementation.</p>
<p><strong>Note:</strong> This listing only shows the methods and does not include any implementation.</p>
<pre>import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator;
import com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorException;
import java.util.Map;
public class MyTIEImpl implements TrustedIDEvaluator {
public void init(Map map) throws SoapSecurityException {
// Initialize the trusted ID evaluator object.
}
public boolean evaluate(String id) throws TrustedIDEvaluatorException {
// Evaluate the given ID and return true if successful, or false otherwise.
}
}</pre></li>
<li><p>Compile the implementation. Make sure that the /QIBM/ProdData/WebASE/ASE5/lib/was-wssecurity.jar file is in the compiler class path.</p></li>
<li><p>Copy the class file to a location in the class path, perferably in the /QIBM/UserData/WebASE/ASE5/<em>instance</em>/lib/ext directory, where <em>instance</em> is the name of your instance.</p></li>
<li><p>Restart your application server.</p></li>
<li><p>Delete the default trusted ID evaluator that is configured in the administrative console. Click <strong>Application Servers --&gt; <em>server_name</em> --&gt; Web Services: Default bindings for Web Services Security --&gt; Trusted ID Evaluators --&gt; <em>trusted_ID_evaluator_name</em></strong>, where <em>server_name</em> is the name of your application server, and <em>trusted_ID_evaluator_name</em> is the name of the default trusted ID evaluator.</p>
<p>Select the box next to the specific trusted ID evaluator name and click <strong> Delete</strong>.</p></li>
<li><p>To add your custom trusted ID evaluator, click <strong>New</strong>. Verify that the class name is dot separated and appears in the class path.</p></li>
<li><p>Under <strong>Additional Properties</strong>, click <strong>Properties</strong> to add additional properties that are required to initialize the custom trusted ID evaluator. These properties are passed to the <tt>init(java.util.Map)</tt> method of your implementation when it extends the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface as described in the first step.</p></li>
<li><p>Save the configuration.</p></li>
<li><p>Restart the application server for the trusted ID evaluator to take effect.</p></li>
</ol>
</body>
</html>