There are three basic layers into which you can plug your own authentication mechanism:
The most powerful approach to customization is to write your own security provider. This involves the following steps:
Implement org.idoox.security.spi.ClientSecurityProvider and org.idoox.security.spi.ServerSecurityProvider
Assign a name to the new security provider
Plug the security provider into the WSO2 SOA Enablement Server configuration files using the Administration Console.
In the Server Preferences panel of the Administration Console (see Server Preferences Management), select the Security tree node.
Select the Providers tree node.
Click on the Add Provider button.
Enter the name and class of the provider in the new fields that appear.
All security providers shipped with WSO2 SOA Enablement Server for Java use JAAS login modules to map received authentication data from the incoming message to a user, which is represented as an instance of org.idoox.security.WASPPrincipal in the JAAS subject created at login over the JAAS security framework.
Each security provider uses a specific JAAS configuration entry (usually configured in the JAAS configuration file. The default file in WSO2 SOA Enablement Server is WASP_HOME/conf/jaas.config). For example, the HttpBasic security provider uses a configuration entry called NamePasswordAN on the server side, while on the client side it uses NamePasswordNoAN. By default, login modules shipped with WSO2 SOA Enablement Server are present in the configuration entries. By changing the configuration entry, you can add your own login module or remove the existing one. For example, if you want to replace the login module used by the WSO2 SOA Enablement Server HttpBasic security provider on the server side with com.mycompany.security.MyLoginModule, you must change the JAAS configuration entry as follows :
Replace:
NamePasswordAN{
com.idoox.security.jaas.NamePasswordLoginModule required debug=true;
};with:
NamePasswordAN{
com.mycompany.security.MyLoginModule required debug=true;
};WSO2 SOA Enablement Server security providers work with different authentication data. For example, in the case of HttpBasic, this data consists of name and password, while for HttpDigest it consists of name and digest value. The data are available to login modules over JAAS callbacks. Each security provider provides specific JAAS callbacks to the JAAS framework. The callbacks are then available to login modules. The callbacks provided by security providers are described in JAAS Login Modules.
If we continue with the MyLoginModule example, com.mycompany.security.MyLoginModule can obtain a username and password by calling the appropriate callbacks. Note that you do not need to use all callbacks available. For example, if you do not use the default WSO2 SOA Enablement Server implementation of UserStore, you do not need the WSO2 SOA Enablement Server user store reference passed by org.idoox.security.jaas.UserStoreCallback .
The WSO2 SOA Enablement Server authorization framework relies on the presence of an instance of org.idoox.security.WASPPrincipal in the JAAS subject after a login over the JAAS framework. If you intend to authorize WSO2 SOA Enablement Server Web service calls, you must set this principal in the commit method of your login module.
For more information, please see also: Sun's Java Authentication and Authorization Service page and JAAS Login Modules.
WSO2 SOA Enablement Server default login modules use WSO2 SOA Enablement Server user store and keystore. You can change the implementation of these by setting appropriate properties and implementing appropriate interfaces. See Keystore and User Store.