|
By Lakshman Abburi, Aravindan Ranganathan, and Marina Sum, April 16, 2008; updated: July 30, 2008
|
|
|
OpenSSO
OpenSSO is Sun's open Web access management project that's based on the Sun Java System Access Manager source code. Future versions of Sun Java System Access Manager will be built from OpenSSO.
|
|
Part 1 of this series describes how to configure OpenSSO for user authentication through identity services with IdSvcsClient, an example application built with the NetBeans IDE. In Part 2, again with IdSvcsClient, you learn how to further configure OpenSSO so as to allow authenticated users to perform tasks for which they have been authorized.
Next comes the task of obtaining the attributes of users whose tokens are passed in service calls. User attributes are also called profile attributes, This article, Part 3 of the series, describes how to fetch user attributes by means of the attribute service, still with IdSvcsClient as an example.
As in Parts 1 and 2, we assume you have done the following:
See also:
Part 4: Single Sign-On and Logout
Contents
Configurations
The configuration process involves setting up two JavaServer Pages (JSP) pages and making attribute service calls with either the Simple Object Access Protocol (SOAP) or Representational State Transfer (REST) interface.
Setting Up the JSP Pages
To set up the two JSP pages in the NetBeans IDE for the attribute service:
- To invoke the attribute service with either SOAP (denoted as
WS in the code) or REST, add this code segment to the authenticate.jsp file:
<h2>Obtain Profile Attributes</h2>
<form name="profile" action="profile.jsp" method="POST">
<input type="hidden" name="token" value=<%= token %> />
Profile using Web Service (SOAP/WSDL)
<input type="submit" value="WS" name="type" /><br><br>
Profile using REST <input type="submit" value="REST" name="type" /><br>
<input type="hidden" name="url" value=<%= ourl %> />
</form>
|
Here, the parameter token is the user token that is obtained on success of authentication. The attribute service fetches user attributes for the token.
Have a look at the full content of authenticate.jsp.
- Create another JSP file,
profile.jsp, by right-clicking Web Pages in the IdSvcsClient project and then choosing New > JSP from the context menu.
- In the dialog box that is displayed, type
profile as the JSP name.
- Revise the content of
profile.jsp to establish the appropriate heading and retrieve the form parameters and the user token. See this sample code segment:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Profile</title>
</head>
<body>
<h1 align="center">Profile Results</h1><hr>
<br>
<%
String type = request.getParameter("type");
String token = request.getParameter("token");
String url = request.getParameter("url");
%>
<br><br>
<hr>
<h3><a href="index.jsp">Return To Login</a></h3>
</hr>
</body>
</html>
|
The full content of profile.jsp puts the code segment in perspective.
Making Attribute-Service Calls With SOAP
Next, still in the NetBeans IDE, make the attribute-service calls with SOAP:
- Double-click
profile.jsp in the left pane to load the content into the Editor pane on the right.
- Right-click in the Editor pane for the context menu and choose Web Service Client Resources > Call Web Service Operation. See Figure 1.
Figure 1: Web-Service Operation Call (Click image for larger view.) |
The Select Operation to Invoke dialog box is displayed.
- Select attributes under IdentityServicesImplPort. See Figure 2.
Figure 2: Attributes Operation (Click image for larger view.) |
The Netbeans IDE adds the stub code to the profile.jsp file. This code segment shows the content in the related section of the file after code generation:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Profile</title>
</head>
<body>
<h1 align="center">Profile Results</h1><hr>
<br>
<%
String type = request.getParameter("type");
String token = request.getParameter("token");
String url = request.getParameter("url");
%>
<%-- start web service invocation --%><hr/>
<%
try {
com.idsvcsclient.IdentityServicesImplService service = new
com.idsvcsclient.IdentityServicesImplService();
com.idsvcsclient.IdentityServicesImpl port = service.getIdentityServicesImplPort();
// TODO initialize WS operation arguments here
java.util.List<java.lang.String> attributeNames = null;
com.idsvcsclient.Token subject = new com.idsvcsclient.Token();
// TODO process result here
com.idsvcsclient.UserDetails result = port.attributes(attributeNames, subject);
out.println("Result = "+result);
} catch (Exception ex) {
// TODO handle custom exceptions here
}
%>
<%-- end web service invocation --%><hr/>
<br><br>
<hr>
<h3><a href="index.jsp">Return To Login</a></h3>
</hr>
</body>
</html>
|
Note: This step for invoking Web-service calls is important. Do not skip it and manually add the stub code; otherwise, the calls will not work.
The following code segment shows the rearranged stub code to be executed when you specify WS for the attributes (see also the section "Output of User Attributes").
<%-- start web service invocation --%><hr/>
<%
try {
if (type.equals("WS")) {
com.idsvcsclient.IdentityServicesImplService service = new
com.idsvcsclient.IdentityServicesImplService();
com.idsvcsclient.IdentityServicesImpl port = service.getIdentityServicesImplPort();
java.util.List<java.lang.String> attributeNames = null;
com.idsvcsclient.Token subject = new com.idsvcsclient.Token();
subject.setId(token);
com.idsvcsclient.UserDetails results = port.attributes(attributeNames, subject);
out.println("<h2>Successful using Web Services (SOAP/WSDL)</h2>"
);
java.util.List<com.idsvcsclient.Attribute> attrs = results.getAttributes();
java.util.Iterator<com.idsvcsclient.Attribute> items = attrs.iterator();
while (items.hasNext()) {
com.idsvcsclient.Attribute attr = items.next();
out.println("Attribute: name=" + attr.getName() + "Values=" + attr.getValues()
+ "<br>");
}
out.println("<br>Roles=" + results.getRoles());
}
} catch (Exception ex) {
try {
ex.printStackTrace(new java.io.PrintWriter(out));
} catch (Exception e) {
// Ignore
}
}
%>
<%-- end web service invocation --%><hr/>
|
In addition, the code passes the input parameters. Subsequently, the Netbeans IDE passes on the Web-service call with attributeNames and the subject token.
Note: If you pass a null value to the attributes, the OpenSSO server's attribute service returns all the attributes for the identity whose token was passed as the parameter in the Web-service call. It then displays the profile attributes on the browser. To narrow the output, pass a select set of user attributes—instead of the complete list—for fetching from the attribute service. In case of exceptions, the Netbeans IDE displays the stack trace.
Making Attribute-Service Calls With REST
Alternatively, make the calls with REST, whose attribute service is triggered by the URI attributes. REST expects three query parameters: resource, action, and token. Here is the code segment in question:
<%-- start web service invocation --%><hr/>
<%
try {
if (type.equals("WS")) {
// Code as explained in the above section for SOAP interface.
} else if (type.equals("REST")) {
if (url == null || url.length() == 0) {
out.println("<h2>Invalid URL: </h2>" + url);
} else {
url += "/attributes";
java.net.URL iurl = new java.net.URL(url);
java.net.URLConnection connection = iurl.openConnection();
connection.setDoInput(true);
connection.setDoOutput(true);
connection.setUseCaches(false);
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
// Send POST output.
java.io.DataOutputStream printout = new java.io.DataOutputStream(
connection.getOutputStream ());
String content = "subjectid=" + token;
printout.writeBytes (content);
printout.flush ();
printout.close ();
java.io.BufferedReader reader = new java.io.BufferedReader(
new java.io.InputStreamReader(
(java.io.InputStream) connection.getContent()));
out.println("<h2>Successful using REST</h2>");
String line;
while ((line = reader.readLine()) != null) {
out.println(line + "<br>");
}
}
}
} catch (Exception ex) {
try {
ex.printStackTrace(new java.io.PrintWriter(out));
} catch (Exception e) {
// Ignore
}
}
%>
<%-- end web service invocation --%><hr/>
|
The code opens an HTTP URL connection and performs a POST operation with the token before displaying in the browser the attributes for the user whose token was passed to the service.
You are now ready to compile, deploy, and run IdSvcsClient as a test for the attribute service.
Deployment, Execution, and Testing of the Application
To deploy and run IdSvcsClient in the Netbeans IDE, right-click the IdSvcsClient project and choose Undeploy and Deploy from the context menu. The IDE then compiles the necessary classes, builds the WAR file, and deploys it to Sun Java System Application Server. Afterward, you can access the client application at http://localhost:8080/IdSvcsClient.
To test the attribute service, first authenticate the user whose attributes you'd like to obtain. For example, for John Smith, type his user name and password in the appropriate text fields in the authentication screen, shown in Figure 3.
Figure 3: Authentication Screen (Click image for larger view.) |
After successful authentication, the OpenSSO server displays the Authentication Results screen for testing, as shown in Figure 4.
Figure 4: Authentication Results Screen (Click image for larger view.) |
Output of User Attributes
To fetch the related user attributes with SOAP, click the WS button under Obtain Profile Attributes. Figure 5 shows an example of the output.
Figure 5: Example of User Attributes Fetched With SOAP (Click image for larger view.) |
To fetch the related user attributes with REST, click the REST button under Obtain Profile Attributes. Figure 6 shows an example of the output.
Figure 6: Example of User Attributes Fetched With REST (Click image for larger view.) |
Coming Attractions
Subsequent parts of this series will show you how to audit, create, and update identity services; also how to achieve single sign-on and logout. Stay tuned!
References
- Sun Java System Access Manager
- OpenSSO
- Sun developer services
|
 Lakshman Abburi, an identity- management developer since 2003, joined Sun in 2006. He holds an M.S. degree in Computer Science from the University of Minnesota.
|
 Aravindan Ranganathan, a software architect at Sun, is currently designing identity services for SOA. Previously, he developed solutions for securing Web-service communications and for implementing SSO within and across enterprises. Aravindan has also actively participated in standards bodies, such as the Liberty Alliance Project in defining the Identity Federation Framework (ID-FF); and OASIS Technical Committees in developing SAML, XACML, and SPML specifications.
|
 Marina Sum is a staff writer for Sun Developer Network. She has been writing for Sun since 1989, mostly in the technical arena. Marina blogs on Sun's products, technologies, events, publications, and unsung heroes.
|
|
Print-friendly Version
