WAS 6 - read user and password from J2C Authentication Data

brendon...@yahoo.com

unread,

Oct 21, 2006, 9:07:50 AM10/21/06

to

I had this working in WAS5... I want to be able to read the J2C Authentication Alias information (userid and password). This is how I did it in WAS5:

<snip>

InitialContext ctx = new InitialContext();
String str = (String) ctx.lookup("thisNode/cell/legacyRoot/string/myUserPass");
lc = new LoginContext("DefaultPrincipalMapping", new WSPrincipalMappingCallbackHandler(str, null));

lc.login();

javax.security.auth.Subject subject = lc.getSubject();
java.util.Set creds = subject.getPrivateCredentials();
result = (javax.resource.spi.security.PasswordCredential) creds.toArray()[0];
servlet.getServletContext().setAttribute("user", result.getUserName());
servlet.getServletContext().setAttribute("password", new String(result.getPassword()));

</snip>

There seems to be a problem with the line

lc = new LoginContext("DefaultPrincipalMapping", new WSPrincipalMappingCallbackHandler(str, null));

in regards to the null. I get the following error..

SECJ4030E: Unrecognizable Callback index = 0 com.ibm.wsspi.security.auth.callback.WSManagedConnectionFactoryCallback@16a8bf0

Can somebody help me read the user id and password out of the J2C Authentication Data?

Thanks.

Paul Ilechko

unread,

Oct 22, 2006, 8:13:16 PM10/22/06

to

WSPrincipalMappingCallbackHandler is deprecated in WAS 6.

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rsec_pluginj2c.html

brendon...@yahoo.com

unread,

Oct 23, 2006, 8:20:25 AM10/23/06

to

Is there a new way to read the user and password that doesn't use WSPrincipalMappingCallbackHandler? I came across that page as well, but I don't understand all of the details enough to know if that is what they are trying to explain.

Paul Ilechko

unread,

Oct 23, 2006, 8:51:55 AM10/23/06

to

brendon...@yahoo.com wrote:
> Is there a new way to read the user and password that doesn't use WSPrincipalMappingCallbackHandler? I came across that page as well, but I don't understand all of the details enough to know if that is what they are trying to explain.

I'm not sure, but maybe you can do a getProperties() on the
WSMappingPropertiesCallback.

Here's the javadoc:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.javadoc.doc/public_html/spi/com/ibm/wsspi/security/auth/callback/WSMappingPropertiesCallback.html

brendon...@yahoo.com

unread,

Oct 23, 2006, 2:10:55 PM10/23/06

to

I find it interesting nobody (or at least very few people) has tried to read the username and password out of a J2C entry. It seems like it would be a very easy way to store ids and passwords needed for different tasks the application performs like looking up some information on a user in Active Directory, for instance. Anybody have any other way to do this besides storing the id and password in the String bindings?

Thanks for the help so far.

Paul Ilechko

unread,

Oct 23, 2006, 3:02:34 PM10/23/06

to

Well, you can just store them in a file. In case you are thinking that
it would be more secure to store them in the J2C entry, that's really
not the case, as any application can lookup a J2C entry - there's no
authorization on that access. At least with a file you would have the
ability to protect the file itself with OS security, and the ability to
protect access from Java code in WAS by enforcing Java 2 security.

hosup...@gmail.com

unread,

Oct 30, 2006, 12:31:20 PM10/30/06

to

I don't know if storing username/password in a file is more secure than using J2C. But if all applications in that server share same J2C, maybe it's not an issue anymore. I understand J2C is not that secure, but it's many companies policy not to include user name/password in a plain text file. And unless J2C is deprecated in WAS6, there's should be a way to use it somehow. I just want to see some simple same code that read J2C entries, so far I found none.

Paul Ilechko

unread,

Oct 30, 2006, 9:08:19 PM10/30/06

to

I've been told that while it may be possible to get this to work, it
isn't supported using public APIs. I'll post more if I find out more.

hosup...@gmail.com

unread,

Nov 6, 2006, 10:57:02 AM11/6/06

to

Paul
Thank you for trying to find the solution. I'm sure there's a way to get J2C data, otherwise it means J2C is not supported in WAS6.

I hope you find the solution and post it here. Since I'm sure there're other people who are looking for the same solution.

Thanks again

Paul Ilechko

unread,

Nov 6, 2006, 11:11:07 AM11/6/06

to

Possible solution - needs to be tested:

Create a new JAAS login config with two modules:

1. The WAS identity mapping module
2. Your custom module

- the identity mapping module should create a subject in shared state,
and your module should be able to get the userid and pwd out of it.

Try this, and post back if it works.

hosup...@gmail.com

unread,

Dec 4, 2006, 11:04:22 AM12/4/06

to

I received a possible solution from IBM.
WSPrincipalMappingCallbackHandler is deprecated in WAS6. Deprecated doesn't mean it won't work, but as we know it doesn't. I think IBM is working on this problem.

You should instead use WSMappingCallbackHandler. But IBM realized their infocenter example is not correct. From you code, change following line

lc = new LoginContext("DefaultPrincipalMapping", new WSPrincipalMappingCallbackHandler(str, null));

to this

HashMap map = new HashMap();
map.put("com.ibm.mapping.authDataAlias", str);
// or com.ibm.wsspi.security.auth.callback.Constants.MAPPING_ALIAS is "com.ibm.mapping.authDataAlias"
// map.put(Constants.MAPPING_ALIAS, str);
javax.security.auth.callback.CallbackHandler callbackHandler = WSMappingCallbackHandlerFactory.getInstance().getCallbackHandler(map, null);
lc = new LoginContext("DefaultPrincipalMapping", callbackHandler);

Just beware, WAS6 now prefix cell or node name in front of J2C authentication data's alias name. So, you should look for the alias name that includes cell or node name.