How to populate Subject from the TAIResult?

Question

I've implemented com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor according to this article https://www.ibm.com/developerworks/library/mw-1612-lansche-trs/index.html. And it seems working. Anyone has an example code to populate subject from the TAIResult?

Answer 1

The IBM SAML TAI (com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor is an IBM-provided Java class. It is an implementation of the WebSphere Trust Association Interceptor framework, and uses SAML specifications for establishing trust without having to write custom Java code.

Based on the wording of your question it sounds as if you may have instead followed the link within that article to a much older (but still valid) technical article about the underlying TAI framework. This guide absolutely describes writing custom code that implements an IBM Java interface (com.ibm.wsspi.security.tai.TrustAssociationInterceptor) with your own trust logic and covers the public TAIResult negotiateValidateandEstablishTrust() method you must implement.

A little lower in the TAI article is an overview of three static methods in the TAIResult class to help you populate an identity:

The TAIResult class has three static methods for creating a TAIResult, all of which always take an int as the first parameter. This parameter is expected to be a valid HTTP request return code...

You can build a Subject in two ways: have WebSphere create one automatically by providing a userid string (and allowing WebSphere to query the user repository) or manually, by programmatically creating one. The manual approach is the most powerful - you can do everything from create an "ephemeral" user on the fly, including group memberships - or you can use other WAS APIs to create a fully populated Subject and then modify it - for example to add group membership on the fly (and not in the underlying user repository).

There are code samples of each Subject approach in section "TAI Usage" in the definitive guide to WAS authentication and TAI implementation.

If you do build your own Subject or add custom credential objects, make sure the classes are serializable - see the article's section on propagation.

Just to provide some sample code, here's a an example from the article that describes completely building a Subject on the fly in your negotiateValidateandEstablishTrust() method:

String userid = "the_user_id"; //get from request, etc
InitialContext ctx = new InitialContext();
UserRegistry reg  =(UserRegistry)ctx.lookup("UserRegistry");
String uniqueid = reg.getUniqueUserID(userid);

//define groups
ArrayList groups = new ArrayList();
// add admin group 
groups.add(reg.getUniqueGroupId("Administrators"));

// stash in hashtable
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS,groups);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,uniqueid+"MyCustom");

Subject subject = new Subject();
subject. getPublicCredentials().add(hashtable);
return TAIResult.create(HTTPServletResponse.SC_OK, "ignored", subject);

In IBM's SAML TAI you mention, they themselves implement the above to read SAML XML documents of various flavors from the HttpServletRequest and process them, constructing an ephemeral or registry user identity depending on configuration.

Key documentation:

• Advanced authentication in WAS (covers the TAI framework and other plug points)
• TrustAssociationInterceptor javadoc
• TAIResult javadoc
• IBM SAML TAI Overview