Container managed EE app sharing BPF/ICN/ICM authentication

From my experience as a P8 engineer i know many are actually struggling with this. So in this post i’ll share a textbook example on how to  re-use your BPF/ICN/ICM authentication in your own custom Java EE application.

Download the complete sample project here

The following project assumes the use of IBM Websphere with support for EE6 (personally using 8.5.5.).

The sample project contains a few essential parts:

1. A Simple rest-service that exposes two methods;

  1. a /ping api that will be accessible to all;
  2. and a /getObjetStoreID api that is only available to users currently logged on.
/**
 * Sample rest service for which access is managed by the container.  
 * @author nl.ivojonker
 */
@Stateless
public class SampleService {


	private static final String CPEIIOPURL = "iiop://";
	private static final String OBJECTSTORENAME = "OBJECTSTORENAME";

	/**
	 * Accesible to everyone (see web.xml)
	 * @return
	 */
	@Path("/ping")
	public String ping(){
		return "pong!";
	}

	/**
	 * A simple api call that requires the user to be authenticated (see web.xml) 
	 * @return
	 */
	@Path("/getObjectStoreID")
	@Produces(MediaType.TEXT_PLAIN)
	public Response someApi(){
		Connection connection = Factory.Connection.getConnection(CPEIIOPURL);

		Subject subject = UserContext.getAmbientSubject();
		if (subject == null) {
			return Response.status(Status.FORBIDDEN).entity("No SSO or existing session").build();
		}

		UserContext.get().pushSubject(subject);

		Domain domain = Factory.EntireNetwork.fetchInstance(connection, null).get_LocalDomain();
		ObjectStore store = Factory.ObjectStore.fetchInstance(domain, OBJECTSTORENAME, null);

		return Response.ok(store.get_Id().toString()).build();
	}

}

2. A web.xml in which is specified what resources (urls) are behind authentication, and which urls are not.

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>SampleService</web-resource-name>
			<description>While the complete application is secured....</description>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>All Authenticated</role-name>
		</auth-constraint>
		<user-data-constraint>
			<description>User data constraints</description>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>SampleService</web-resource-name>
			<description>Everyone is allowed to access the ping page</description>
			<url-pattern>/rest/ping</url-pattern>
		</web-resource-collection>
		<user-data-constraint>
			<description>User data constraints</description>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

	<security-role>
		<description>All Authenticated</description>
		<role-name>All Authenticated</role-name>
	</security-role>
	<security-role>
		<description>Everyone</description>
		<role-name>Everyone</role-name>
	</security-role>

3. An (websphere specific) ibm-application-bnd.xml file in which we map security roles to subjects.

Note that this can be managed from within the wasadmin as well.

<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://websphere.ibm.com/xml/ns/javaee"
    xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd" version="1.0">
  <security-role name="All Authenticated">
    <special-subject type="ALL_AUTHENTICATED_USERS"/>
  </security-role>
  <security-role name="Everyone">
    <special-subject type="EVERYONE"/>
  </security-role>
</application-bnd>

Wrapping it all up; there’s just no need for complex mechanisms, – or worse, storing and sharing passwords between services 🙂

 

One thought on “Container managed EE app sharing BPF/ICN/ICM authentication

  1. Hier ga ik zeker mee de boer op. Het is a struggle en een steeds weer terugkerend iets. Vanuit ontwikkeling wordt een showcase geschreven en voor je het weet wordt het uitgerold. Met dit kan je al direct vanaf de eerste code hier ekening mee houden. Thanks Ivo!

Leave a Reply

Your email address will not be published. Required fields are marked *