The Web services security run time uses the JAAS CallbackHandler interface as a plugin to generate security tokens on the client side or when a Web service is acting as client. This topic describes how to write a Java Authentication and Authorization Server (JAAS) javax.security.auth.callback.CallbackHandler to generate a binary security token (<wsse:BinarySecurityToken>) and an XML-based token.
See Configure a pluggable token for information about configuring the pluggable token authentication for a request receiver.
Standard Java Authentication and Authorization Service CallbackHandler
WebSphere Application Server - Express provides a default implementation of the following JAAS callback handlers that you can use:
com.ibm.wsspi.wssecurity.auth.callback.GUIPromptCallbackHandler
If basic authentication data is not defined in the login binding (not to be confused with the HTTP basic authentication information), WebSphere Application Server - Express prompts for a user name and password in the graphical user interface (GUI) login panel. However, WebSphere Application Server - Express uses the basic authentication data that is defined in the login binding.
Note: Use this callback handler with the BasicAuth authentication method only. Also, this implementation should only be used with Web services clients. The prompt behavior is not desirable in a server environment.
com.ibm.wsspi.wssecurity.auth.callback.StdinPromptCallbackHandler
If basic authentication data is not defined in the login binding, WebSphere Application Server - Express prompts for a user name and password in Standard in (stdin). However, WebSphere Application Server - Express uses the basic authentication data that is defined in the login binding.
Note: Use this callback handler with the BasicAuth authentication method only. Also, this implementation should only be used with Web services clients. The prompt behavior is not desirable in a server environment.
com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler
This callback handler does not prompt the user. It uses the basic authentication data that is defined in the login binding.
Note: Use this callback handler with BasicAuth authentication method only. You can use this callback handler when a Web service is acting as a client and needs to send basic authentication information (<wsse:UsernameToken>) to a downstream call. You must define basic authentication data in the login binding for this callback handler.
com.ibm.wsspi.wssecurity.auth.callback.LTPATokenCallbackHandler
This callback handler generates LTPA tokens from the RunAs JAAS Subject (invocation subject) of the current WebSphere Application Server - Express security context. However, if basic authentication data is defined in the login binding, it authenticates with the basic authentication data and uses the LTPA token that is generated. The Web services security run time inserts the LTPA token as binary security token (<wsse:BinarySecurityToken>) into the Simple Object Access Protocol (SOAP) header of the message. The value type is mandatory and the value must be http://www.ibm.com/websphere/appserver/tokentype/5.0.2/LTPA.
Note: Use this callback handler with the LTPA authentication method. Also, the Token Type URI and Token Type Local Name fields must be defined in the login binding for this callback handler. The token type values for both the sender and receiver must be the same. These values are defined in the binding configurations.
Developing a Java Authentication and Authorization Service callback handler
Because tokens are pluggable, you can also provide your own callback handler implementation.
Perform the following steps to develop your own JAAS callback handler:
Implement the javax.security.auth.callback.CallbackHandler interface. The implementation must provide a default constructor with the following method signature:
MyCallbackHandler(String userid, char[] password, java.util.Map properties)
where userid and password is the basic authentication data, and properties are the authentication properties that are defined in the login binding.
For the BasicAuth authentication method, the handler() method must handle the following javax.security.auth.callback.Callback implementation classes:
javax.security.auth.callback.NameCallback
This is the standard JAAS callback and part of the JAAS default package. The implementation
must set the user name using the javax.security.auth.callback.NameCallback.setName() method.
javax.security.auth.callback.PasswordCallback
This is the standard JAAS Callback and part of the JAAS default package. The implementation
must set the user name using the javax.security.auth.callback.PasswordCallback.setPassword() method.
For pluggable security token (other authentication methods), the handler() method must handle the following javax.security.auth.callback.Callback implementation classes:
com.ibm.wsspi.wssecurity.auth.callback.BinaryTokenCallback
This is the implementation that is provided by WebSphere Application Server - Express. It is used to pass a binary security token to the Web services security run time. The implementation must set the binary security token as a byte[] data type using the com.ibm.wsspi.wssecurity.auth.callback.BinaryTokenCallback.setCredToken() method.
com.ibm.wsspi.wssecurity.auth.callback.XMLTokenSenderCallback
This is the implementation that is provided by WebSphere Application Server - Express. It is used to pass XML-based tokens to the Web services security run time. The implementation must set the XML-based token as a org.w3c.dom.Element[] data type using the com.ibm.wsspi.wssecurity.auth.callback.XMLTokenSenderCallback.setXMLTokens() method.
Note: If both the binary security token and XML-based token callback handlers are set, the binary security token takes precedence over the XML-based token. A binary security token is generated.
Sample implementation for BasicAuth authentication method
The following code is a sample callback handler implementation for generating the <wsse:UsernameToken> element. The error handling has been removed for clarity.
public class MyBACallbackHandler implements CallbackHandler {
public MyBACallbackHandler() {
super();
}
public MyBACallbackHandler(String userid, char[] password, Map properties) {
super();
tmpusername = userid;
tmppassword = password;
tmpMap = properties;
}
/**
* This implementation of MyBACallbackHandler map the username and
* password data defined in the Login binding to another user.
*/
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
if ((callbacks == null) || (callbacks.length == 0)) {
return;
}
// call out to some server to perform mapping of
// tmpusername and tmppassword to a mappeduser
// and mappedpassword
Result result = mapUser(tmpusername, tmppassword, tmpMap);
String mappeduser = result.getMappedUser();
char[] mappedpassword = result.getMappedPassword();
for (int i = 0; i < callbacks.length; i++) {
callback c = callbacks[i];
if (c instanceof javax.security.auth.callback.namecallback) {
((javax.security.auth.callback.namecallback) c).setname(mappeduser);
} else if (c instanceof javax.security.auth.callback.passwordcallback) {
((javax.security.auth.callback.passwordcallback) c).setpassword(
(mappedpassword == null) ? new char[0] : mappedpassword);
} else {
throw new unsupportedcallbackexception(c, "Unsupported callback");
}
}
}
private string tmpusername = "";
private char[] tmppassword = null;
private map tmpmap = null;
}
The following sample code is a sample callback handler implementation for generating <wsse:BinarySecurityToken> element.
public class MyBSTCallbackHandler implements CallbackHandler {
public MyBSTCallbackHandler() {
super();
}
public MyBSTCallbackHandler(String userid, char[] password, Map properties) {
super();
tmpusername = userid;
tmppassword = password;
tmpMap = properties;
}
/**
* This implementation of MyBSTCallbackHandler generates binary
* security token based on the username and password data defined in the
* Login binding to another user.
*/
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
if ((callbacks == null) || (callbacks.length == 0)) {
return;
}
// call out to create binary security token
// based on tmpusername and tmppassword
byte[] token = login(tmpusername, tmppassword);
for (int i = 0; i < callbacks.length; i++) {
callback c = callbacks[i];
if (c instanceof com.ibm.wsspi.wssecurity.auth.callback.binarytokencallback) {
((com.ibm.wsspi.wssecurity.auth.callback.binarytokencallback) c).setcredtoken(token);
} else if (c instanceof com.ibm.wsspi.wssecurity.auth.callback.xmltokensendercallback) {
continue;
} else {
throw new unsupportedcallbackexception(c, "Unsupported callback");
}
}
}
private string tmpusername = "";
private char[] tmppassword = null;
private map tmpmap = null;
}