IBM WebSphere Portal V5 A Guide for Portlet Application Development
Authors: Rodriguez J.R. Chan S. Gonzalez B.
 Published year: 2004
 Pages: 33-34/148
Buy this book on amazon.com >>
 <  Day Day Up  >  

2.18 Credential Vault

WebSphere Portal can be configured to exist in a single sign-on environment using a number of different approaches. If the various systems participating in the SSO realm all authenticate to Domino , WebSEAL can provide the SSO functionality. Third-party authentication mechanisms such as Tivoli Access Manager can also be used to create a unified environment for the user .

However, on the portlet level, there may be systems outside the current SSO realm or applications that simply require an explicit login. To facilitate the storage, retrieval and usage of the credentials necessary to access these back-end systems, WebSphere Portal provides the Credentials Vault Service. This service is based on the Portlet Service architecture discussed in 2.17, "Portlet services" on page 108. The CredentialsVaultService allows you to easily and securely persist user IDs and passwords without concerning yourself with database access code.

Figure 2-14. Credential Vault objects

graphics/02fig14.jpg

 <  Day Day Up  >  
 <  Day Day Up  >  

2.19 Core Credential Vault objects

There are several key objects used when working with or administering the Credential Vault.

2.19.1 Vault

This is a persistent store where credentials are actually stored. WebSphere Portal provides the default database vault. The Tivoli Access Manager lock box could also be registered and used as a vault. You can create and register your own custom vault implementations that may store credentials in some database, in memory or even a simple file system.

2.19.2 Segment

A vault can be separated into segments to distinguish the access control portlets have when working with the credentials stored in the vault. Portlets can retrieve credentials from any type of segment. A vault can only be segmented by the administrator.

  • Administrator Managed A segment flagged as Administrator Managed prevents portlets from creating new slots in the segment.

  • User Managed This type of segment allows a portlet to dynamically create new slots and to place credentials in that slot. Only the default vault provided by WebSphere portal provides user-managed segments.

2.19.3 Slot

A slot is " drawer " in a segment that actually contains the credential. A slot can only contain a single credential. When retrieving credentials, a portlet searches the vault for a slot based on the slot ID. This ID is usually persisted in the PortletData object. The definition and implementation of slots is dependent on the vault containing the slot. The default vault implementation provided by WebSphere Portal provides four types of slots.

  • System slot The credentials stored in this type of slot are available to all users and portlets. This type may be used when a user ID/password is company-specific and not unique for each employee.

  • Administrative slot The credentials stored in this type of slot are applicable to individual users but are associated with administrator-defined resources such as Lotus Notes .

  • Shared slot The credentials stored in this type of slot are available to all the portlets of a specific user. This type may be used when several portlets will access the same back-end system on behalf of the same user.

  • Portlet Private slot The credentials stored in this type of slot are available to the single portlet instance that stored it. The credential is not accessible from any other portlet. This type may be used when the credentials are required only by a single portlet and are not applicable to any other user.

2.19.4 Credential

This object actually contains the user ID/password pair. There are two base types of credentials.

  • Passive credential This type of credential simply persists the user ID/password pair. When a portlet needs to access some back-end system with credentials stored in a passive credential, it is required to retrieve the user ID string and password character array from the credential and manually construct the connection to the back end. Example 2-40 on page 116 illustrates using a passive credential.

    Example 2-40. Accessing a Passive Credential 
    UserPasswordPassiveCredential cred =

      (UserPasswordPassiveCredential) vault.getCredential(

                   slotID,

                   "UserPasswordPassive",

                   null,

                   request);

if (cred != null ){

   String pass = cred.getPassword().toString();

   String userid = cred.getUserId();

}

// Use ID and password to connect to some back end

  • Active credential This type of credential encapsulates the user ID/password pair as well as the all the logic required to access the back-end system. Portlets do not have access to the user ID or password persisted in the credential. However, the credential provides connection methods and utilizes the persisted user ID and password to establish the necessary connection. Example 2-41 illustrates how an active credential never returns the user ID or password but instead provides the requisite connection functionality.

    Example 2-41. Accessing and using an Active Credential 
    JavaMailCredential credential =

       (JavaMailCredential) vault.getCredential(

                slotID,

                "JavaMailCredential",

                config,

                request);

javax.mail.Session mailSession =

       javax.mail.Session.getDefaultInstance(props, null);

if (credential != null ){

   mailSession = credential.getAuthenticatedSession(mailSession, host);

   mailSession.getTransport().send(someMsg);

}

    Since an active credential inherently provides more security, it is the preferred type of credential.

WebSphere Portal ships with several predefined types of credentials.

  • Active credentials

    - HTTPBasicAuthCredential

    - HTTPFormBasedAuthCredential

    - JavaMailCredential

    - LtpaTokenCredential

    - WebSealTokenCredential

    - SiteMinderTokenCredential

  • Passive credentials

    - SimplePassiveCredential

    - UserPasswordPassiveCredential

    - JassSubjectPassiveCredential

Example 2-42 illustrates sample code that can be used to store credentials using the Credential Vault Service provided by WebSphere Portal.

Example 2-42. Storing credentials 
PortletContext context = getPortletConfig().getContext();

CredentialVaultService vault = (CredentialVaultService)

             context.getService(CredentialVaultService.class);

ObjectID defaultSegmentId = vault.getDefaultUserVaultSegmentId();

Map descripMap = new HashMap();

descripMap.put("en", "A simple test slot");

CredentialSlotConfig slot = vault.createSlot(

         "",

         defaultSegmentId,

         descripMap,

         null,

         CredentialVaultService.SECRET_TYPE_USERID_STRING_PASSWORD_STRING,

         false,

         true,

         request);

request.setAttribute("Test_SlotID", slot.getSlotId());

int passLength = password.length();

char[] passChars = new char[passLength];

password.getChars(0, passLength, passChars, 0);

vault.setCredentialSecretUserPassword(

          slot.getSlotId(),

          userid,

          passChars,

          request);
CredentialVaultService methods

  • getCredentialTypes Returns an Iterator of all Credential Types that are registered in the Credential Type Registry.

 <  Day Day Up  >  
IBM WebSphere Portal V5 A Guide for Portlet Application Development
Authors: Rodriguez J.R. Chan S. Gonzalez B.
 Published year: 2004
 Pages: 33-34/148
Buy this book on amazon.com >>

Similar books