{"id":391,"date":"2016-06-30T06:55:07","date_gmt":"2016-06-30T04:55:07","guid":{"rendered":"http:\/\/h2916922.stratoserver.net:8084\/?p=391"},"modified":"2016-07-04T11:13:27","modified_gmt":"2016-07-04T09:13:27","slug":"lifting-on-icn-authentication-in-custom-applications","status":"publish","type":"post","link":"https:\/\/www.ivojonker.nl\/?p=391","title":{"rendered":"Container managed EE app sharing BPF\/ICN\/ICM authentication"},"content":{"rendered":"

From my experience as a P8 engineer i know many are actually struggling with this. So in this post i’ll share a textbook example on how to \u00a0re-use your BPF\/ICN\/ICM authentication in your own custom Java EE application.<\/p>\n

Download the complete sample project here<\/a><\/p>\n

The following project assumes the use of IBM Websphere with support for EE6 (personally using\u00a08.5.5.).<\/p>\n

The sample project contains a few essential parts:<\/p>\n

1. A Simple rest-service that exposes two methods;<\/p>\n

    \n
  1. a \/ping api that will be accessible to all;<\/li>\n
  2. and a \/getObjetStoreID api that is only available to users currently logged on.<\/li>\n<\/ol>\n
    \/**\r\n * Sample rest service for which access is managed by the container.  \r\n * @author nl.ivojonker\r\n *\/\r\n@Stateless\r\npublic class SampleService {\r\n\r\n\r\n\tprivate static final String CPEIIOPURL = \"iiop:\/\/\";\r\n\tprivate static final String OBJECTSTORENAME = \"OBJECTSTORENAME\";\r\n\r\n\t\/**\r\n\t * Accesible to everyone (see web.xml)\r\n\t * @return\r\n\t *\/\r\n\t@Path(\"\/ping\")\r\n\tpublic String ping(){\r\n\t\treturn \"pong!\";\r\n\t}\r\n\r\n\t\/**\r\n\t * A simple api call that requires the user to be authenticated (see web.xml) \r\n\t * @return\r\n\t *\/\r\n\t@Path(\"\/getObjectStoreID\")\r\n\t@Produces(MediaType.TEXT_PLAIN)\r\n\tpublic Response someApi(){\r\n\t\tConnection connection = Factory.Connection.getConnection(CPEIIOPURL);\r\n\r\n\t\tSubject subject = UserContext.getAmbientSubject();\r\n\t\tif (subject == null) {\r\n\t\t\treturn Response.status(Status.FORBIDDEN).entity(\"No SSO or existing session\").build();\r\n\t\t}\r\n\r\n\t\tUserContext.get().pushSubject(subject);\r\n\r\n\t\tDomain domain = Factory.EntireNetwork.fetchInstance(connection, null).get_LocalDomain();\r\n\t\tObjectStore store = Factory.ObjectStore.fetchInstance(domain, OBJECTSTORENAME, null);\r\n\r\n\t\treturn Response.ok(store.get_Id().toString()).build();\r\n\t}\r\n\r\n}\r\n<\/pre>\n
    2. A web.xml in which is specified what resources (urls) are behind authentication, and which urls are not.<\/p>\n
    \t<security-constraint>\r\n\t\t<web-resource-collection>\r\n\t\t\t<web-resource-name>SampleService<\/web-resource-name>\r\n\t\t\t<description>While the complete application is secured....<\/description>\r\n\t\t\t<url-pattern>\/*<\/url-pattern>\r\n\t\t<\/web-resource-collection>\r\n\t\t<auth-constraint>\r\n\t\t\t<role-name>All Authenticated<\/role-name>\r\n\t\t<\/auth-constraint>\r\n\t\t<user-data-constraint>\r\n\t\t\t<description>User data constraints<\/description>\r\n\t\t\t<transport-guarantee>NONE<\/transport-guarantee>\r\n\t\t<\/user-data-constraint>\r\n\t<\/security-constraint>\r\n\r\n\t<security-constraint>\r\n\t\t<web-resource-collection>\r\n\t\t\t<web-resource-name>SampleService<\/web-resource-name>\r\n\t\t\t<description>Everyone is allowed to access the ping page<\/description>\r\n\t\t\t<url-pattern>\/rest\/ping<\/url-pattern>\r\n\t\t<\/web-resource-collection>\r\n\t\t<user-data-constraint>\r\n\t\t\t<description>User data constraints<\/description>\r\n\t\t\t<transport-guarantee>NONE<\/transport-guarantee>\r\n\t\t<\/user-data-constraint>\r\n\t<\/security-constraint>\r\n\r\n\t<security-role>\r\n\t\t<description>All Authenticated<\/description>\r\n\t\t<role-name>All Authenticated<\/role-name>\r\n\t<\/security-role>\r\n\t<security-role>\r\n\t\t<description>Everyone<\/description>\r\n\t\t<role-name>Everyone<\/role-name>\r\n\t<\/security-role><\/pre>\n
    3. An (websphere specific) ibm-application-bnd.xml file in which we map security roles to subjects.<\/p>\n
    Note that this can be managed from within the wasadmin as well.<\/p>\n
    <?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<application-bnd xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" xmlns=\"http:\/\/websphere.ibm.com\/xml\/ns\/javaee\"\r\n    xsi:schemaLocation=\"http:\/\/websphere.ibm.com\/xml\/ns\/javaee http:\/\/websphere.ibm.com\/xml\/ns\/javaee\/ibm-application-bnd_1_0.xsd\" version=\"1.0\">\r\n  <security-role name=\"All Authenticated\">\r\n    <special-subject type=\"ALL_AUTHENTICATED_USERS\"\/>\r\n  <\/security-role>\r\n  <security-role name=\"Everyone\">\r\n    <special-subject type=\"EVERYONE\"\/>\r\n  <\/security-role>\r\n<\/application-bnd>\r\n\r\n<\/pre>\n
    Wrapping it all up; there’s just no need for complex mechanisms, – or worse, storing and sharing passwords between services \ud83d\ude42<\/p>\n
     <\/p>\n","protected":false},"excerpt":{"rendered":"
    From my experience as a P8 engineer i know many are actually struggling with this. So in this post i’ll share a textbook example on how to \u00a0re-use your BPF\/ICN\/ICM […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-391","post","type-post","status-publish","format-standard","hentry","category-geen-categorie"],"_links":{"self":[{"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=\/wp\/v2\/posts\/391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=391"}],"version-history":[{"count":11,"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=\/wp\/v2\/posts\/391\/revisions"}],"predecessor-version":[{"id":403,"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=\/wp\/v2\/posts\/391\/revisions\/403"}],"wp:attachment":[{"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ivojonker.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}