Trusted ID evaluator

Trusted ID evaluator (com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator) is a abstraction of the mechanism that evaluates whether the given ID name is trusted. Depending upon the implementation, various types of infrastructure can be used to store a list of the trusted IDs are stored, such as:

• Plain text file
• Database
• LDAP server

The trusted ID evaluator is typically used by the ultimate receiver in a multi-hop environment. The Web services security implementation invokes the trusted ID evaluator and passes the identity name of the intermediary as a parameter. If the identity is evaluated and deemed trustworthy, the procedure continues. Otherwise, an exception is thrown and the procedure is aborted.

Trusted ID evaluator default implementation

A trusted ID evaluator is used to determine if a given identity (ID) name is trusted. Trusted ID evaluators are implemented by providing a class that implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface.

The default implementation of a trusted ID evaluator is com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl. This implementation is initialized with a list of trusted identity names. You can use trustedId_n as the property key name (where n is an integer greater than 0) to specify a list of trusted identities in the properties. When a name is to be evaluated, it is passed to the evaluate() method. The name is checked against the list of trusted names and returns true if it is in the list (this means it is trusted) and false if it is not in the list (this means it is not trusted). The trusted identities are specified as TrustedIDEvaluator properties of the Web Services Security binding file (ws-security.xml or ibm-webservices-bnd.xmi).

Developing a trusted ID evaluator

Perform the following steps to develop your own trusted ID evaluator:

1. Define the trusted ID evaluator class method. WebSphere Application Server - Express provides the trusted ID evaluator interface, com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator, which defines the following methods:

   • public void init(java.util.Map map) throws SoapSecurityException
     This method initializes the object. The parameter map object contains name and value pairs.

     These pairs are specified in the WebSphere administrative console. Click Application Servers --> server_name --> Web Services: Default bindings for Web Services Security --> Trusted ID Evaluators --> trusted_ID_evaluator_name --> Properties --> New, where server_name is the name of your server and trusted_ID_evaluator_name is the name of your implementation.

   • boolean evaluate(String id) throws TrustedIDEvaluatorException
     This method evaluates whether the received ID is trusted. The parameter object is an ID that must be evaluated. You can specify the realm as "id@realm". The method returns a true value if the ID is trusted, otherwise, it returns a false value.

   You must configure the following methods that are implemented by the custom trusted ID evaluator implementation.

   Note: This listing only shows the methods and does not include any implementation.

   import com.ibm.wsspi.wssecurity.SoapSecurityException;
   import com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator;
   import com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorException;
   import java.util.Map;
   
   public class MyTIEImpl implements TrustedIDEvaluator {
     public void init(Map map) throws SoapSecurityException {
       // Initialize the trusted ID evaluator object.
     }
   
     public boolean evaluate(String id) throws TrustedIDEvaluatorException {
       // Evaluate the given ID and return true if successful, or false otherwise.
     }
   }

2. Compile the implementation. Make sure that the /QIBM/ProdData/WebASE51/ASE/lib/was-wssecurity.jar file is in the compiler class path.

3. Copy the class file to a location in the class path, perferably in the /QIBM/UserData/WebASE51/ASE/instance/lib/ext directory, where instance is the name of your instance.

4. Restart your application server.

5. Delete the default trusted ID evaluator that is configured in the administrative console. Click Application Servers --> server_name --> Web Services: Default bindings for Web Services Security --> Trusted ID Evaluators --> trusted_ID_evaluator_name, where server_name is the name of your application server, and trusted_ID_evaluator_name is the name of the default trusted ID evaluator.

   Select the box next to the specific trusted ID evaluator name and click Delete.

6. To add your custom trusted ID evaluator, click New. Verify that the class name is dot separated and appears in the class path.

7. Under Additional Properties, click Properties to add additional properties that are required to initialize the custom trusted ID evaluator. These properties are passed to the init(java.util.Map) method of your implementation when it extends the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface as described in the first step.

8. Save the configuration.

9. Restart the application server for the trusted ID evaluator to take effect.