![[AIX Solaris HP-UX Linux Windows]](../images/ngdist.svg)
![[z/OS]](../images/ngzos.svg)
使用 SCA RequestContext.getSecuritySubject() API
服务组件体系结构 (SCA) RequestContext.getSecuritySubject() 应用程序编程接口会返回 Java 认证和授权 (JAAS) 主体集,此主体集表示访问受保护 SCA 服务的已认证用户。
准备工作
SCA 服务开发者可以使用 RequestContext.getSecuritySubject() API 来获取表示请求者的 JAAS 主体集。
如果未满足下列其中一个或多个前置条件,那么不会认证 SCA 请求,且 RequestContext.getSecuritySubject API 会返回 null 主体集:
- 必须启用管理安全性,才能初始化安全性基础结构。
- 必须启用应用程序安全性,才能强制执行安全策略和认证。
- SCA 服务需要已认证的用户。 可使用
authentication.transport意向(对于 OSOA 组合体)或clientAuthentication.transport意向(对于 OASIS 组合体)在传输层完成认证。 可通过连接需要认证的 Web Service 策略集在消息层完成认证。
有关此任务
使用 RequestContext.getSecuritySubject() API 时,请执行以下步骤:
过程
- 在文件中使用 RequestContext.getSecuritySubject API。
以下示例使用 OSOA RequestContext.getSecuritySubject API:
import org.osoa.sca.annotations.Context; import org.osoa.sca.annotations.Service; import org.osoa.sca.RequestContext; import javax.security.auth.Subject; import java.security.Principal; import java.util.Iterator; import com.ibm.websphere.security.cred.WSCredential; @Service(EchoService.class) public class EchoServiceWithIdentityComponentImpl implements EchoService { @Context protected RequestContext requestContext; public String echo_String(String input) { try { Subject subject = null; String securityName = null; if (requestContext != null) { subject = requestContext.getSecuritySubject(); } if (subject != null) { java.util.Set principalSet = subject.getPrincipals(); if (principalSet != null && principalSet.size() > 0) { Iterator principalIterator = principalSet.iterator(); if (principalIterator.hasNext()) { Principal principal = (java.security.Principal) principalIterator.next(); securityName = principal.getName(); } } } } catch (Exception ex) { // Handle exception } } }同一示例适用于使用 OASIS RequestContext.getSecuritySubject API,但包名更改时例外:import org.oasisopen.sca.annotation.Context; import org.oasisopen.sca.annotation.Service; import org.oasisopen.sca.RequestContext; - 可以从主体集中的 WSCredential 对象获取请求的各个安全性属性,如以下示例中所示:
if (subject != null) { java.util.Set credSet = subject.getPublicCredentials(); if (credSet != null && credSet.size() > 0) { Iterator credIterator = credSet.iterator(); while (credIterator.hasNext()) { Object o = credIterator.next(); WSCredential cred = null; if (o instanceof WSCredential) { cred = (WSCredential) o; } else { if (securityName == null) { securityName = new StringBuffer(); } securityName.append("\n>> Found a public credential: " + o.getClass().getName()); } if (cred != null) { if (securityName == null) { securityName = new StringBuffer(); } securityName.append("\n>> WSCredential security attributes . . ."); securityName.append("\n>> getAccessId = \t\t" + cred.getAccessId()); securityName.append("\n>> getGroupIds = \t\t" + cred.getGroupIds()); securityName.append("\n>> getPrimaryGroupId = \t\t" + cred.getPrimaryGroupId()); securityName.append("\n>> getRealmName = \t\t" + cred.getRealmName()); securityName.append("\n>> getRealmSecurityName = \t\t" + cred.getRealmSecurityName()); securityName.append("\n>> getRealmUniqueSecurityName = \t\t" + cred.getRealmUniqueSecurityName()); securityName.append("\n>> getSecurityName = \t\t" + cred.getSecurityName()); securityName.append("\n>> getUniqueSecurityName = \t\t" + cred.getUniqueSecurityName()); } } } }主体身份由领域名及后跟的请求者身份组成。 例如,假设WebSphere® Application Server配置为使用轻量级目录访问协议 (LDAP) 服务器进行身份验证。 领域名是 LDAP 服务器主机名和端口号:security name = ldap1.austin.ibm.com:389/user2此处显示样本输出:>> WSCredential security attributes . . . >> getAccessId = user:ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us >> getGroupIds = [group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US] >> getPrimaryGroupId = group:ldap1.austin.ibm.com:389/CN=GROUP2,O=IBM,C=US >> getRealmName = ldap1.austin.ibm.com:389 >> getRealmSecurityName = ldap1.austin.ibm.com:389/user2 >> getRealmUniqueSecurityName = ldap1.austin.ibm.com:389/cn=user2,o=ibm,c=us >> getSecurityName = user2 >> getUniqueSecurityName = cn=user2,o=ibm,c=us