84 lines
6.0 KiB
HTML
84 lines
6.0 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Trusted ID evaluator</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h6><a name="wssectrustid"></a>Trusted ID evaluator</h6>
|
|
|
|
<p>Trusted ID evaluator (com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator) is a abstraction of the mechanism that evaluates whether the given ID name is trusted. Depending upon the implementation, various types of infrastructure can be used to store a list of the trusted IDs are stored, such as:</p>
|
|
|
|
<ul>
|
|
<li>Plain text file</li>
|
|
<li>Database</li>
|
|
<li>LDAP server</li>
|
|
</ul>
|
|
|
|
<p>The trusted ID evaluator is typically used by the ultimate receiver in a multi-hop environment. The Web services security implementation invokes the trusted ID evaluator and passes the identity name of the intermediary as a parameter. If the identity is evaluated and deemed trustworthy, the procedure continues. Otherwise, an exception is thrown and the procedure is aborted.</p>
|
|
|
|
<p><strong>Trusted ID evaluator default implementation</strong></p>
|
|
|
|
<p>A trusted ID evaluator is used to determine if a given identity (ID) name is trusted. Trusted ID evaluators are implemented by providing a class that implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface.</p>
|
|
|
|
<p>The default implementation of a trusted ID evaluator is com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl. This implementation is initialized with a list of trusted identity names. You can use <tt>trustedId_<em>n</em></tt> as the property key name (where <em>n</em> is an integer greater than 0) to specify a list of trusted identities in the properties. When a name is to be evaluated, it is passed to the evaluate() method. The name is checked against the list of trusted names and returns <tt>true</tt> if it is in the list (this means it is trusted) and <tt>false</tt> if it is not in the list (this means it is not trusted). The trusted identities are specified as TrustedIDEvaluator properties of the Web Services Security binding file (ws-security.xml or ibm-webservices-bnd.xmi).</p>
|
|
|
|
<p><strong>Developing a trusted ID evaluator</strong></p>
|
|
|
|
<p>Perform the following steps to develop your own trusted ID evaluator:</p>
|
|
|
|
<ol>
|
|
<li><p>Define the trusted ID evaluator class method. WebSphere Application Server - Express provides the trusted ID evaluator interface, com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator, which defines the following methods:</p>
|
|
<ul>
|
|
<li><p><tt>public void init(java.util.Map map) throws SoapSecurityException</tt>
|
|
<br>This method initializes the object. The parameter map object contains name and value pairs.</p>
|
|
<p>These pairs are specified in the WebSphere administrative console. Click <strong>Application Servers --> <em>server_name</em> --> Web Services: Default bindings for Web Services Security --> Trusted ID Evaluators --> <em>trusted_ID_evaluator_name</em> --> Properties --> New</strong>, where <em>server_name</em> is the name of your server and <em>trusted_ID_evaluator_name</em> is the name of your implementation.</p></li>
|
|
|
|
<li><p><tt>boolean evaluate(String id) throws TrustedIDEvaluatorException</tt>
|
|
<br>This method evaluates whether the received ID is trusted. The parameter object is an ID that must be evaluated. You can specify the realm as "id@realm". The method returns a <tt>true</tt> value if the ID is trusted, otherwise, it returns a <tt>false</tt> value.</p></li>
|
|
</ul>
|
|
|
|
<p>You must configure the following methods that are implemented by the custom trusted ID evaluator implementation.</p>
|
|
<p><strong>Note:</strong> This listing only shows the methods and does not include any implementation.</p>
|
|
<pre>import com.ibm.wsspi.wssecurity.SoapSecurityException;
|
|
import com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator;
|
|
import com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorException;
|
|
import java.util.Map;
|
|
|
|
public class MyTIEImpl implements TrustedIDEvaluator {
|
|
public void init(Map map) throws SoapSecurityException {
|
|
// Initialize the trusted ID evaluator object.
|
|
}
|
|
|
|
public boolean evaluate(String id) throws TrustedIDEvaluatorException {
|
|
// Evaluate the given ID and return true if successful, or false otherwise.
|
|
}
|
|
}</pre></li>
|
|
|
|
<li><p>Compile the implementation. Make sure that the /QIBM/ProdData/WebASE51/ASE/lib/was-wssecurity.jar file is in the compiler class path.</p></li>
|
|
|
|
<li><p>Copy the class file to a location in the class path, perferably in the /QIBM/UserData/WebASE51/ASE/<em>instance</em>/lib/ext directory, where <em>instance</em> is the name of your instance.</p></li>
|
|
|
|
<li><p>Restart your application server.</p></li>
|
|
|
|
<li><p>Delete the default trusted ID evaluator that is configured in the administrative console. Click <strong>Application Servers --> <em>server_name</em> --> Web Services: Default bindings for Web Services Security --> Trusted ID Evaluators --> <em>trusted_ID_evaluator_name</em></strong>, where <em>server_name</em> is the name of your application server, and <em>trusted_ID_evaluator_name</em> is the name of the default trusted ID evaluator.</p>
|
|
<p>Select the box next to the specific trusted ID evaluator name and click <strong> Delete</strong>.</p></li>
|
|
|
|
<li><p>To add your custom trusted ID evaluator, click <strong>New</strong>. Verify that the class name is dot separated and appears in the class path.</p></li>
|
|
|
|
<li><p>Under <strong>Additional Properties</strong>, click <strong>Properties</strong> to add additional properties that are required to initialize the custom trusted ID evaluator. These properties are passed to the <tt>init(java.util.Map)</tt> method of your implementation when it extends the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator interface as described in the first step.</p></li>
|
|
|
|
<li><p>Save the configuration.</p></li>
|
|
<li><p>Restart the application server for the trusted ID evaluator to take effect.</p></li>
|
|
</ol>
|
|
|
|
</body>
|
|
</html>
|
|
|