Discussion:
WAS 6 - read user and password from J2C Authentication Data
(too old to reply)
b***@yahoo.com
2006-10-21 13:07:50 UTC
Permalink
I had this working in WAS5... I want to be able to read the J2C Authentication Alias information (userid and password). This is how I did it in WAS5:

<snip>

InitialContext ctx = new InitialContext();
String str = (String) ctx.lookup("thisNode/cell/legacyRoot/string/myUserPass");
lc = new LoginContext("DefaultPrincipalMapping", new WSPrincipalMappingCallbackHandler(str, null));

lc.login();

javax.security.auth.Subject subject = lc.getSubject();
java.util.Set creds = subject.getPrivateCredentials();
result = (javax.resource.spi.security.PasswordCredential) creds.toArray()[0];
servlet.getServletContext().setAttribute("user", result.getUserName());
servlet.getServletContext().setAttribute("password", new String(result.getPassword()));

</snip>

There seems to be a problem with the line

lc = new LoginContext("DefaultPrincipalMapping", new WSPrincipalMappingCallbackHandler(str, null));

in regards to the null. I get the following error..

SECJ4030E: Unrecognizable Callback index = 0 ***@16a8bf0

Can somebody help me read the user id and password out of the J2C Authentication Data?

Thanks.
Paul Ilechko
2006-10-23 00:13:16 UTC
Permalink
WSPrincipalMappingCallbackHandler is deprecated in WAS 6.

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rsec_pluginj2c.html
b***@yahoo.com
2006-10-23 12:20:25 UTC
Permalink
Is there a new way to read the user and password that doesn't use WSPrincipalMappingCallbackHandler? I came across that page as well, but I don't understand all of the details enough to know if that is what they are trying to explain.
Paul Ilechko
2006-10-23 12:51:55 UTC
Permalink
Post by b***@yahoo.com
Is there a new way to read the user and password that doesn't use WSPrincipalMappingCallbackHandler? I came across that page as well, but I don't understand all of the details enough to know if that is what they are trying to explain.
I'm not sure, but maybe you can do a getProperties() on the
WSMappingPropertiesCallback.

Here's the javadoc:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.javadoc.doc/public_html/spi/com/ibm/wsspi/security/auth/callback/WSMappingPropertiesCallback.html
b***@yahoo.com
2006-10-23 18:10:55 UTC
Permalink
I find it interesting nobody (or at least very few people) has tried to read the username and password out of a J2C entry. It seems like it would be a very easy way to store ids and passwords needed for different tasks the application performs like looking up some information on a user in Active Directory, for instance. Anybody have any other way to do this besides storing the id and password in the String bindings?

Thanks for the help so far.
Paul Ilechko
2006-10-23 19:02:34 UTC
Permalink
Post by b***@yahoo.com
I find it interesting nobody (or at least very few people) has tried
to read the username and password out of a J2C entry. It seems like
it would be a very easy way to store ids and passwords needed for
different tasks the application performs like looking up some
information on a user in Active Directory, for instance. Anybody
have any other way to do this besides storing the id and password in
the String bindings?
Well, you can just store them in a file. In case you are thinking that
it would be more secure to store them in the J2C entry, that's really
not the case, as any application can lookup a J2C entry - there's no
authorization on that access. At least with a file you would have the
ability to protect the file itself with OS security, and the ability to
protect access from Java code in WAS by enforcing Java 2 security.
h***@gmail.com
2006-10-30 17:31:20 UTC
Permalink
Post by b***@yahoo.com
Post by b***@yahoo.com
I find it interesting nobody (or at least very few
people) has tried
Post by b***@yahoo.com
to read the username and password out of a J2C
entry. It seems like
Post by b***@yahoo.com
it would be a very easy way to store ids and
passwords needed for
Post by b***@yahoo.com
different tasks the application performs like
looking up some
Post by b***@yahoo.com
information on a user in Active Directory, for
instance. Anybody
Post by b***@yahoo.com
have any other way to do this besides storing the
id and password in
Post by b***@yahoo.com
the String bindings?
Well, you can just store them in a file. In case you
are thinking that
it would be more secure to store them in the J2C
entry, that's really
not the case, as any application can lookup a J2C
entry - there's no
authorization on that access. At least with a file
you would have the
ability to protect the file itself with OS security,
and the ability to
protect access from Java code in WAS by enforcing
Java 2 security.
I don't know if storing username/password in a file is more secure than using J2C. But if all applications in that server share same J2C, maybe it's not an issue anymore. I understand J2C is not that secure, but it's many companies policy not to include user name/password in a plain text file. And unless J2C is deprecated in WAS6, there's should be a way to use it somehow. I just want to see some simple same code that read J2C entries, so far I found none.
Paul Ilechko
2006-10-31 02:08:19 UTC
Permalink
Post by b***@yahoo.com
Is there a new way to read the user and password that doesn't use
WSPrincipalMappingCallbackHandler? I came across that page as well,
but I don't understand all of the details enough to know if that is
what they are trying to explain.
I've been told that while it may be possible to get this to work, it
isn't supported using public APIs. I'll post more if I find out more.
h***@gmail.com
2006-11-06 15:57:02 UTC
Permalink
Paul
Thank you for trying to find the solution. I'm sure there's a way to get J2C data, otherwise it means J2C is not supported in WAS6.

I hope you find the solution and post it here. Since I'm sure there're other people who are looking for the same solution.

Thanks again
Paul Ilechko
2006-11-06 16:11:07 UTC
Permalink
Paul Thank you for trying to find the solution. I'm sure there's a
way to get J2C data, otherwise it means J2C is not supported in WAS6.
I hope you find the solution and post it here. Since I'm sure
there're other people who are looking for the same solution.
Thanks again
Possible solution - needs to be tested:

Create a new JAAS login config with two modules:

1. The WAS identity mapping module
2. Your custom module

- the identity mapping module should create a subject in shared state,
and your module should be able to get the userid and pwd out of it.

Try this, and post back if it works.
h***@gmail.com
2006-12-04 16:04:22 UTC
Permalink
I received a possible solution from IBM.
WSPrincipalMappingCallbackHandler is deprecated in WAS6. Deprecated doesn't mean it won't work, but as we know it doesn't. I think IBM is working on this problem.

You should instead use WSMappingCallbackHandler. But IBM realized their infocenter example is not correct. From you code, change following line

lc = new LoginContext("DefaultPrincipalMapping", new WSPrincipalMappingCallbackHandler(str, null));

to this

HashMap map = new HashMap();
map.put("com.ibm.mapping.authDataAlias", str);
// or com.ibm.wsspi.security.auth.callback.Constants.MAPPING_ALIAS is "com.ibm.mapping.authDataAlias"
// map.put(Constants.MAPPING_ALIAS, str);
javax.security.auth.callback.CallbackHandler callbackHandler = WSMappingCallbackHandlerFactory.getInstance().getCallbackHandler(map, null);
lc = new LoginContext("DefaultPrincipalMapping", callbackHandler);

Just beware, WAS6 now prefix cell or node name in front of J2C authentication data's alias name. So, you should look for the alias name that includes cell or node name.
Post by b***@yahoo.com
I had this working in WAS5... I want to be able to
read the J2C Authentication Alias information (userid
<snip>
InitialContext ctx = new InitialContext();
String str = (String)
ctx.lookup("thisNode/cell/legacyRoot/string/myUserPass
");
lc = new LoginContext("DefaultPrincipalMapping", new
WSPrincipalMappingCallbackHandler(str, null));
lc.login();
javax.security.auth.Subject subject =
lc.getSubject();
java.util.Set creds =
subject.getPrivateCredentials();
result =
(javax.resource.spi.security.PasswordCredential)
creds.toArray()[0];
servlet.getServletContext().setAttribute("user",
result.getUserName());
servlet.getServletContext().setAttribute("password",
new String(result.getPassword()));
</snip>
There seems to be a problem with the line
lc = new LoginContext("DefaultPrincipalMapping", new
WSPrincipalMappingCallbackHandler(str, null));
in regards to the null. I get the following error..
SECJ4030E: Unrecognizable Callback index = 0
com.ibm.wsspi.security.auth.callback.WSManagedConnecti
Can somebody help me read the user id and password
out of the J2C Authentication Data?
Thanks.
Continue reading on narkive:
Loading...