448 lines
18 KiB
HTML
448 lines
18 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
|
<html>
|
||
|
|
<head>
|
||
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
||
|
|
|
||
|
|
<title>Example: UserRegistry.java file</title>
|
||
|
|
</head>
|
||
|
|
|
||
|
|
<BODY>
|
||
|
|
<!-- Java sync-link -->
|
||
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
||
|
|
|
||
|
|
<h4><a name="secdcurj"></a>Example: UserRegistry.java file</h4>
|
||
|
|
|
||
|
|
<pre>// 5722-IWE
|
||
|
|
// (C) COPYRIGHT International Business Machines Corp. 1997, 2003
|
||
|
|
// All Rights Reserved * Licensed Materials - Property of IBM
|
||
|
|
//
|
||
|
|
// DESCRIPTION:
|
||
|
|
//
|
||
|
|
// This is the UserRegistry interface that Custom Registries in WebSphere
|
||
|
|
// should implement to enable WebSphere Security to use the Custom Registry.
|
||
|
|
//
|
||
|
|
|
||
|
|
package com.ibm.websphere.security;
|
||
|
|
|
||
|
|
import java.util.*;
|
||
|
|
import java.rmi.*;
|
||
|
|
import java.security.cert.X509Certificate;
|
||
|
|
import com.ibm.websphere.security.cred.WSCredential;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Implementing this interface enables WebSphere Security to use Custom
|
||
|
|
* Registries. This should extend java.rmi.Remote as the registry can be in
|
||
|
|
* a remote process.
|
||
|
|
*
|
||
|
|
* To implement this interface, you must provide implementations for:
|
||
|
|
*
|
||
|
|
* -- initialize(java.util.Properties)
|
||
|
|
* -- checkPassword(String,String)
|
||
|
|
* -- mapCertificate(X509Certificate[])
|
||
|
|
* -- getRealm
|
||
|
|
* -- getUsers(String,int)
|
||
|
|
* -- getUserDisplayName(String)
|
||
|
|
* -- getUniqueUserId(String)
|
||
|
|
* -- getUserSecurityName(String)
|
||
|
|
* -- isValidUser(String)
|
||
|
|
* -- getGroups(String,int)
|
||
|
|
* -- getGroupDisplayName(String)
|
||
|
|
* -- getUniqueGroupId(String)
|
||
|
|
* -- getUniqueGroupIds(String)
|
||
|
|
* -- getGroupSecurityName(String)
|
||
|
|
* -- isValidGroup(String)
|
||
|
|
* -- getGroupsForUser(String)
|
||
|
|
* -- getUsersForGroup(String,int)
|
||
|
|
* -- createCredential(String)
|
||
|
|
**/
|
||
|
|
|
||
|
|
public interface UserRegistry extends java.rmi.Remote
|
||
|
|
{
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Initializes the registry. This method is called when creating the
|
||
|
|
* registry.
|
||
|
|
*
|
||
|
|
* @param props the registry-specific properties with which to
|
||
|
|
* initialize the custom registry
|
||
|
|
* @exception CustomRegistryException
|
||
|
|
* if there is any registry specific problem
|
||
|
|
* @exception RemoteException
|
||
|
|
* as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public void initialize(java.util.Properties props)
|
||
|
|
throws CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Checks the password of the user. This method is called to authenticate a
|
||
|
|
* user when the user's name and password are given.
|
||
|
|
*
|
||
|
|
* @param userSecurityName the name of user
|
||
|
|
* @param password the password of the user
|
||
|
|
* @return a valid userSecurityName. Normally this is
|
||
|
|
* the name of same user whose password was checked but if the
|
||
|
|
* implementation wants to return any other valid
|
||
|
|
* userSecurityName in the registry it can do so
|
||
|
|
* @exception CheckPasswordFailedException if userSecurityName/
|
||
|
|
* password combination does not exist in the registry
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String checkPassword(String userSecurityName, String password)
|
||
|
|
throws PasswordCheckFailedException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Maps a Certificate (of X509 format) to a valid user in the Registry.
|
||
|
|
* This is used to map the name in the certificate supplied by a browser
|
||
|
|
* to a valid userSecurityName in the registry
|
||
|
|
*
|
||
|
|
* @param cert the X509 certificate chain
|
||
|
|
* @return the mapped name of the user userSecurityName
|
||
|
|
* @exception CertificateMapNotSupportedException if the particular
|
||
|
|
* certificate is not supported.
|
||
|
|
* @exception CertificateMapFailedException if the mapping of the
|
||
|
|
* certificate fails.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String mapCertificate(X509Certificate[] cert)
|
||
|
|
throws CertificateMapNotSupportedException,
|
||
|
|
CertificateMapFailedException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the realm of the registry.
|
||
|
|
*
|
||
|
|
* @return the realm. The realm is a registry-specific string indicating
|
||
|
|
* the realm or domain for which this registry
|
||
|
|
* applies. For example, for OS400 or AIX this would be the
|
||
|
|
* host name of the system whose user registry this object
|
||
|
|
* represents.
|
||
|
|
* If null is returned by this method realm defaults to the
|
||
|
|
* value of "customRealm".
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String getRealm()
|
||
|
|
throws CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Gets a list of users that match a pattern in the registy.
|
||
|
|
* The maximum number of users returned is defined by the limit
|
||
|
|
* argument.
|
||
|
|
* This method is called by GUI(adminConsole) and Scripting(Command Line) to
|
||
|
|
* make available the users in the registry for adding them (users) to roles.
|
||
|
|
*
|
||
|
|
* @param pattern the pattern to match. (For e.g., a* will match all
|
||
|
|
* userSecurityNames starting with a)
|
||
|
|
* @param limit the maximum number of users that should be returned.
|
||
|
|
* This is very useful in situations where there are thousands of
|
||
|
|
* users in the registry and getting all of them at once is not
|
||
|
|
* practical. A value of 0 implies get all the users and hence
|
||
|
|
* must be used with care.
|
||
|
|
* @return a Result object that contains the list of users
|
||
|
|
* requested and a flag to indicate if more users exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public Result getUsers(String pattern, int limit)
|
||
|
|
throws CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the display name for the user specified by userSecurityName.
|
||
|
|
*
|
||
|
|
* This method may be called only when the user information is displayed
|
||
|
|
* (i.e information purposes only, for example, in GUI) and hence not used
|
||
|
|
* in the actual authentication or authorization purposes. If there are no
|
||
|
|
* display names in the registry return null or empty string.
|
||
|
|
*
|
||
|
|
* In WAS 4.0 custom registry, if you had a display name for the user and
|
||
|
|
* if it was different from the security name, the display name was
|
||
|
|
* returned for the servlet methods getUserPrincipal() and getRemoteUser().
|
||
|
|
* In WAS 5.0 for the same methods the security name will be returned by
|
||
|
|
* default. This is the recommended way as the display name is not unique
|
||
|
|
* and might create security holes.
|
||
|
|
* However, for backward compatability if one needs the display name to
|
||
|
|
* be returned set the property WAS_UseDisplayName to true.
|
||
|
|
*
|
||
|
|
* See the Infocenter documentation for more information.
|
||
|
|
*
|
||
|
|
* @param userSecurityName the name of the user.
|
||
|
|
* @return the display name for the user. The display name
|
||
|
|
* is a registry-specific string that represents a descriptive, not
|
||
|
|
* necessarily unique, name for a user. If a display name does
|
||
|
|
* not exist return null or empty string.
|
||
|
|
* @exception EntryNotFoundException if userSecurityName does not exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String getUserDisplayName(String userSecurityName)
|
||
|
|
throws EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the UniqueId for a userSecurityName. This method is called when
|
||
|
|
* creating a credential for a user.
|
||
|
|
*
|
||
|
|
* @param userSecurityName the name of the user.
|
||
|
|
* @return the UniqueId of the user. The UniqueId for an user is
|
||
|
|
* the stringified form of some unique, registry-specific, data
|
||
|
|
* that serves to represent the user. For example, for the UNIX
|
||
|
|
* user registry, the UniqueId for a user can be the UID.
|
||
|
|
* @exception EntryNotFoundException if userSecurityName does not exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String getUniqueUserId(String userSecurityName)
|
||
|
|
throws EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the name for a user given its uniqueId.
|
||
|
|
*
|
||
|
|
* @param uniqueUserId the UniqueId of the user.
|
||
|
|
* @return the userSecurityName of the user.
|
||
|
|
* @exception EntryNotFoundException if the uniqueUserId does not exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String getUserSecurityName(String uniqueUserId)
|
||
|
|
throws EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Determines if the userSecurityName exists in the registry
|
||
|
|
*
|
||
|
|
* @param userSecurityName the name of the user
|
||
|
|
* @return true if the user is valid. false otherwise
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public boolean isValidUser(String userSecurityName)
|
||
|
|
throws CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Gets a list of groups that match a pattern in the registy.
|
||
|
|
* The maximum number of groups returned is defined by the limit
|
||
|
|
* argument.
|
||
|
|
* This method is called by GUI(adminConsole) and Scripting(Command Line) to
|
||
|
|
* make available the groups in the registry for adding them (groups) to
|
||
|
|
* roles.
|
||
|
|
*
|
||
|
|
* @param pattern the pattern to match. (For e.g., a* will match all
|
||
|
|
* groupSecurityNames starting with a)
|
||
|
|
* @param limit the maximum number of groups that should be returned.
|
||
|
|
* This is very useful in situations where there are thousands of
|
||
|
|
* groups in the registry and getting all of them at once is not
|
||
|
|
* practical. A value of 0 implies get all the groups and hence
|
||
|
|
* must be used with care.
|
||
|
|
* @return a Result object that contains the list of groups
|
||
|
|
* requested and a flag to indicate if more groups exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public Result getGroups(String pattern, int limit)
|
||
|
|
throws CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the display name for the group specified by groupSecurityName.
|
||
|
|
*
|
||
|
|
* This method may be called only when the group information is displayed
|
||
|
|
* (for example, GUI) and hence not used in the actual authentication or
|
||
|
|
* authorization purposes. If there are no display names in the registry
|
||
|
|
* return null or empty string.
|
||
|
|
*
|
||
|
|
* @param groupSecurityName the name of the group.
|
||
|
|
* @return the display name for the group. The display name
|
||
|
|
* is a registry-specific string that represents a descriptive, not
|
||
|
|
* necessarily unique, name for a group. If a display name does
|
||
|
|
* not exist return null or empty string.
|
||
|
|
* @exception EntryNotFoundException if groupSecurityName does not exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String getGroupDisplayName(String groupSecurityName)
|
||
|
|
throws EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the Unique id for a group.
|
||
|
|
|
||
|
|
* @param groupSecurityName the name of the group.
|
||
|
|
* @return the Unique id of the group. The Unique id for
|
||
|
|
* a group is the stringified form of some unique,
|
||
|
|
* registry-specific, data that serves to represent the group.
|
||
|
|
* For example, for the Unix user registry, the Unique id could
|
||
|
|
* be the GID.
|
||
|
|
* @exception EntryNotFoundException if groupSecurityName does not exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String getUniqueGroupId(String groupSecurityName)
|
||
|
|
throws EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the Unique ids for all the groups that contain the UniqueId of
|
||
|
|
* a user.
|
||
|
|
* Called during creation of a user's credential.
|
||
|
|
*
|
||
|
|
* @param uniqueUserId the uniqueId of the user.
|
||
|
|
* @return a List of all the group UniqueIds that the uniqueUserId
|
||
|
|
* belongs to. The Unique id for an entry is the stringified
|
||
|
|
* form of some unique, registry-specific, data that serves
|
||
|
|
* to represent the entry. For example, for the
|
||
|
|
* Unix user registry, the Unique id for a group could be the GID
|
||
|
|
* and the Unique Id for the user could be the UID.
|
||
|
|
* @exception EntryNotFoundException if uniqueUserId does not exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public List getUniqueGroupIds(String uniqueUserId)
|
||
|
|
throws EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the name for a group given its uniqueId.
|
||
|
|
*
|
||
|
|
* @param uniqueGroupId the UniqueId of the group.
|
||
|
|
* @return the name of the group.
|
||
|
|
* @exception EntryNotFoundException if the uniqueGroupId does not exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public String getGroupSecurityName(String uniqueGroupId)
|
||
|
|
throws EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Determines if the groupSecurityName exists in the registry
|
||
|
|
*
|
||
|
|
* @param groupSecurityName the name of the group
|
||
|
|
* @return true if the groups exists, false otherwise
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public boolean isValidGroup(String groupSecurityName)
|
||
|
|
throws CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Returns the securityNames of all the groups that contain the user
|
||
|
|
*
|
||
|
|
* This method is called by GUI(adminConsole) and Scripting(Command Line)
|
||
|
|
* to verify the user entered for role mapping belongs to that role
|
||
|
|
* in the roles to user mapping. Initially, the check is done to see if
|
||
|
|
* the role contains the user. If the role does not contain the user
|
||
|
|
* explicitly, this method is called to get the groups that this user
|
||
|
|
* belongs to so that check can be made on the groups that the role contains.
|
||
|
|
*
|
||
|
|
* @param userSecurityName the name of the user
|
||
|
|
* @return a List of all the group securityNames that the user
|
||
|
|
* belongs to.
|
||
|
|
* @exception EntryNotFoundException if user does not exist.
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
**/
|
||
|
|
public List getGroupsForUser(String userSecurityName)
|
||
|
|
throws EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Gets a list of users in a group.
|
||
|
|
*
|
||
|
|
* The maximum number of users returned is defined by the limit
|
||
|
|
* argument.
|
||
|
|
*
|
||
|
|
* This method is not used by WebSphere Application Server - Express for
|
||
|
|
* authenticating or authorization purposes. This is, however, used by some
|
||
|
|
* of the WebSphere clients like Workflow.
|
||
|
|
*
|
||
|
|
* If you are working with a registry where getting all the users from
|
||
|
|
* any of your groups is not practical (for example if there are a large
|
||
|
|
* number of users) you can through the NotImplementedException. Also,
|
||
|
|
* if you implement this method, you can still throw this exception if
|
||
|
|
* the limit exceeds some practical value.
|
||
|
|
* When the NotImplementedException is thrown the client program should fall
|
||
|
|
* back to some default implementation which should be documented by the
|
||
|
|
* client.
|
||
|
|
*
|
||
|
|
* @param groupSecurityName the name of the group
|
||
|
|
* @param limit the maximum number of users that should be returned.
|
||
|
|
* This is very useful in situations where there are lot of
|
||
|
|
* users in the registry and getting all of them at once is not
|
||
|
|
* practical. A value of 0 implies get all the users and hence
|
||
|
|
* must be used with care.
|
||
|
|
* @return a Result object that contains the list of users
|
||
|
|
* requested and a flag to indicate if more users exist.
|
||
|
|
* @deprecated This method will be deprecated in future.
|
||
|
|
* @exception NotImplementedException throw this exception if it is not
|
||
|
|
* pratical to get this information from your registry.
|
||
|
|
* @exception EntryNotFoundException if the group does not exist in
|
||
|
|
* the registry
|
||
|
|
* @exception CustomRegistryException if there is any registry specific
|
||
|
|
* problem
|
||
|
|
* @exception RemoteException as this extends java.rmi.Remote
|
||
|
|
*
|
||
|
|
**/
|
||
|
|
public Result getUsersForGroup(String groupSecurityName, int limit)
|
||
|
|
throws NotImplementedException,
|
||
|
|
EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Throw the NotImplementedException for this method.
|
||
|
|
*
|
||
|
|
* Create Credential for a user.
|
||
|
|
*
|
||
|
|
* This will be implemented internally by WebSphere code and should NOT be
|
||
|
|
* implemented by the Custom Registry implementations.
|
||
|
|
*
|
||
|
|
* @exception NotImplementedException Always throw this.
|
||
|
|
**/
|
||
|
|
public WSCredential createCredential(String userSecurityName)
|
||
|
|
throws NotImplementedException,
|
||
|
|
EntryNotFoundException,
|
||
|
|
CustomRegistryException,
|
||
|
|
RemoteException;
|
||
|
|
}</pre>
|
||
|
|
|
||
|
|
|
||
|
|
</body>
|
||
|
|
</html>
|
||
|
|
|