Java 以编程方式验证TAI中的用户

我正在开发

TAI

，它必须在websphereportal中授权用户

我的

TAI

使用

OpenID

Connect获取有关用户的所有信息，我想构建一些上下文，将其交给WAS，并告诉WAS他必须信任此上下文，而无需本地帐户

如何在

TAI

中验证用户，而不使用本地存储库中的用户帐户

更新：

代码：

日志：

FFDC：

我发现了这个错误

但我不明白他们想让我这么做

说明：

我有联合存储库，其中只有一个LDAP存储库

更新#2：

我在8.5.5.2上做了这样的测试，没有错误，只有白色屏幕。我尝试使用组“wpsadmins”对用户“bob”进行身份验证。有联合存储库，其中有一个基于文件的内置存储库

更新#3：

我为WAS编写了自定义应用程序，其中有一个按钮，可以向Servlet发出POST请求

部分代码：

if (req.getRemoteUser() == null) {
    req
            .setAttribute("errorMessage",
                    "<b>Error: Please log in before accessing PrintUserInfo.<b>");
    RequestDispatcher disp = getServletContext().getRequestDispatcher(
            "/login.jsp");
    disp.forward(req, resp);
    return;
}
resp.setContentType("text/html");
PrintWriter out = new PrintWriter(resp.getOutputStream());

String id = WSSubject.getCallerPrincipal();
out.println("The WAS Subject layer thinks you are " + id);
    Context ic = new InitialContext();
    Object objRef = ic.lookup("UserRegistry");
    UserRegistry userReg = (UserRegistry) PortableRemoteObject.narrow(
            objRef, UserRegistry.class);
    out.println("<BR><BR>The user registry says your display name is: "
            + userReg.getUserDisplayName(req.getUserPrincipal()
                    .getName()));

    Subject subject = WSSubject.getCallerSubject();
    Set credSet = subject.getPublicCredentials(WSCredential.class);
    //should be impossible.
    if (credSet.size() > 1) {
        System.out
                .println("Expected only one WSCredential in Subject set");
        throw new Exception("Expected one WSCredential, found "
                + credSet.size());
    }
if (credSet.isEmpty()) {
    System.out.println("Credential set is empty");
    throw new Exception("Found no credentials");
}
//get one and only one element of Set
Iterator iter = credSet.iterator();
WSCredential creds = (WSCredential) iter.next();
out.println("<BR><BR>Looking into your Subject your userid is "
        + creds.getSecurityName());
out.println("<BR><BR>Looking into your Subject your uniqueid is "
        + creds.getUniqueSecurityName());
out
        .println("<BR><BR>Looking into your Subject I see these groups: ");
//List groups = helper.getGroups();
List groups = creds.getGroupIds();
iter = groups.iterator();
while (iter.hasNext()) {
    String gid = (String) iter.next();
    out.println("<BR>Group ID: " + gid);
}

更新#4

我在TAI中添加了一些组，并且比我在门户中授权的多（我想），但我只看到白色屏幕，没有任何内容。怎么了

更新#5

WPS给了我一个例外：

[26.03.15 18:47:41:006 AMT] 0000004e DefaultLoginF E com.ibm.wps.auth.impl.DefaultLoginFilter doLoginWithExceptions WpsException occured: com.ibm.wps.services.authentication.exceptions.UserRetrieveException: EJPSD0008E: Exception occurred while retrieving the user [null] from the user registry.

---

您需要创建完整主题，以查看更多详细信息

简而言之，您需要使用类似的代码：

String userid = "bob";//get from request
String uniqueid = "bob";

// stash in hashtable
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
// hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS,groups);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,uniqueid+"MyCustom");

Subject subject = new Subject();
subject.getPublicCredentials().add(hashtable);
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject); 

---

在更新#5中添加的WPS异常上

---

WebSpherePortal要求uniqueid是完全限定的DN。在你的情况下，你只有一个简短的名字。门户确实使用DN在VMM上查找用户，并希望WSCredential.getUniqueSecurityName（）返回DN。

此代码需要uniqueId。但是这个唯一的ID是由userId从UserRegistry检索的。因此，我在UserRegistry中没有用户帐户，我不会检索uniqueId。@dikkini否，您可以自己将此用户Id设置为正确的格式，而无需从注册表获取，请在我创建并使用存储库中不存在的用户时选中此项。此用户将被视为经过身份验证的用户，但如果您无法从存储库中获取组，则很难将其映射到其他所有经过身份验证的用户。Stack Dump=com.ibm.websphere.wim.exception.invaliduniquenameeexception:CWWIM1011E“test”唯一名称无效。我认为，这很麻烦，因为我只有LDAP用户存储库。我必须建立联邦存储库。但是我不知道在联邦Repo中LDAP需要哪种存储库类型。@dikkini我在联邦Repo上，只有文件注册表，我没有user

bob

，上面的代码可以正常工作。因此，将主题创建的TAI代码添加到问题中，并在出现错误时进行描述（stacktrace）。您不应使用虚拟用户名调用用户注册表。

if (req.getRemoteUser() == null) {
    req
            .setAttribute("errorMessage",
                    "<b>Error: Please log in before accessing PrintUserInfo.<b>");
    RequestDispatcher disp = getServletContext().getRequestDispatcher(
            "/login.jsp");
    disp.forward(req, resp);
    return;
}
resp.setContentType("text/html");
PrintWriter out = new PrintWriter(resp.getOutputStream());

String id = WSSubject.getCallerPrincipal();
out.println("The WAS Subject layer thinks you are " + id);
    Context ic = new InitialContext();
    Object objRef = ic.lookup("UserRegistry");
    UserRegistry userReg = (UserRegistry) PortableRemoteObject.narrow(
            objRef, UserRegistry.class);
    out.println("<BR><BR>The user registry says your display name is: "
            + userReg.getUserDisplayName(req.getUserPrincipal()
                    .getName()));

    Subject subject = WSSubject.getCallerSubject();
    Set credSet = subject.getPublicCredentials(WSCredential.class);
    //should be impossible.
    if (credSet.size() > 1) {
        System.out
                .println("Expected only one WSCredential in Subject set");
        throw new Exception("Expected one WSCredential, found "
                + credSet.size());
    }
if (credSet.isEmpty()) {
    System.out.println("Credential set is empty");
    throw new Exception("Found no credentials");
}
//get one and only one element of Set
Iterator iter = credSet.iterator();
WSCredential creds = (WSCredential) iter.next();
out.println("<BR><BR>Looking into your Subject your userid is "
        + creds.getSecurityName());
out.println("<BR><BR>Looking into your Subject your uniqueid is "
        + creds.getUniqueSecurityName());
out
        .println("<BR><BR>Looking into your Subject I see these groups: ");
//List groups = helper.getGroups();
List groups = creds.getGroupIds();
iter = groups.iterator();
while (iter.hasNext()) {
    String gid = (String) iter.next();
    out.println("<BR>Group ID: " + gid);
}

String userid = "alisa";
String uniqueid = "bob";

// add admin group 

// stash in hashtable
Hashtable hashtable = new Hashtable();


try {
    InitialContext ctx = new InitialContext();
    UserRegistry reg  =(UserRegistry)ctx.lookup("UserRegistry");
    String wpsadminsGroupUniqueId = reg.getUniqueGroupId("wpsadmins");
    List<String> groups = new ArrayList<String>();
    groups.add(wpsadminsGroupUniqueId);
    hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
} catch (Exception  e) {
    System.out.println("EXCEPTION IN TAI");
    e.printStackTrace();
}

hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,uniqueid+"MyCustom");

Subject subject = new Subject();
subject.getPublicCredentials().add(hashtable);
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject);

The WAS Subject layer thinks you are alisa 

The user registry says your display name is: 

Looking into your Subject your userid is alisa 

Looking into your Subject your uniqueid is bob 

Looking into your Subject I see these groups: 
Group ID: group:domain:port/cn=wpsadmins,cn=CN,ou=OU,o=O,o=O,c=ru 

[26.03.15 18:47:41:006 AMT] 0000004e DefaultLoginF E com.ibm.wps.auth.impl.DefaultLoginFilter doLoginWithExceptions WpsException occured: com.ibm.wps.services.authentication.exceptions.UserRetrieveException: EJPSD0008E: Exception occurred while retrieving the user [null] from the user registry.

String userid = "bob";//get from request
String uniqueid = "bob";

// stash in hashtable
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
// hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS,groups);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,uniqueid+"MyCustom");

Subject subject = new Subject();
subject.getPublicCredentials().add(hashtable);
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject);