Previous     Contents     DocHome     Next     
Directory Server Access Management Edition Programmer's Reference Guide



Chapter 4   Single Sign-On


This chapter describes how to use the public Single Sign-On APIs to create a custom single sign-on solution. It contains the following sections:



Introduction to the Single Sign-On Solution

Every business has resources and services that the business wants to protect. When users want to access these resources, they must authenticate themselves to get access to those resources. The user could be a human being or a service itself accessing a different service. If the users authenticate successfully, and if they are authorized to access those resources, the users are given access to those resources. When a user accesses several resources protected by authentication and authorization policies, it is necessary that a user authenticate every time a protected resource is accessed.  The Single Sign-On feature is a solution that enables a user from having to repeatedly authenticate himself or herself to access multiple applications and services. Providing an SSO solution means that the user will have to authenticate once only. This means that successive attempts by a user to access protected resources will not require the user to provide authentication information to get access to each resource.

Web users are typically required to use a separate password to authenticate themselves to each server they need to access during the course of their work. Multiple passwords are an ongoing headache for both users and system administrators. Users have difficulty keeping track of different passwords, tend to choose poor ones, and tend to write them down in obvious places. Administrators must keep track of a separate password database on each server and deal with potential security problems related to the fact that passwords are sent over the network routinely and frequently.

Solving this problem requires some way for a user to log in only once using a single password, and then get authenticated access to all servers that user is authorized to use—without sending any passwords over the network. This capability is known as Single Sign-On (SSO).

The Web-based Single Sign-On feature in DSAME 5.0 provides or enables the following:

  • The Single Sign-On component or module provides Java interfaces for applications to participate in the Single Sign-On (SSO) solution.

  • The SSO interfaces also include provisions for applications to register callback listeners, which can be invoked when an SSO token is destroyed

  • An adapter servlet may be necessary to integrate non-web applications into DSAME Single Sign-On.

  • Single Sign-On and Authentication support authentication levels.



How SSO Uses Cookies

An encrypted cookie is an information packet generated by the Web Server. Note that a cookie cannot cross domains. (This is a security requirement.) For example, a cookie generated for amazon.com cannot be used for another domain such as fatbrain.com.

A cookie maintains information regarding a user. However, having a cookie does not necessarily imply that the user is authenticated.

The Single Sign-On service and the Authentication service can be thought of as part of the Web Server. In the DSAME 5.0 implementation, the cookie is generated by the Single Sign-On service and set by the Authentication service which, again, is part of the Web server.



How SSO Uses Tokens


The SSO service generates an SSO token using a secure random number generator, then sends it to the Authentication component. The Authentication component then requests a token from the Session component. In DSAME 5.0, an SSO token is inserted into a cookie and sent back to the web browser by the Authentication service. You could consider that a valid SSO token represents an authenticated user.

The SSO APIs in DSAME 5.0 can be used to create SSO tokens after authentication to DSAME has been performed. Multiple tokens created using the SSO API for a single user will point to the same data internally.



Overview of Web-Based Single Sign On (SSO) APIs


DSAME provides a Single Sign-On solution primarily for web-based applications, although it can be extended to any Java-based application, as well as non-Java applications. The SSO solution provides a mechanism by which users need to authenticate only once, and then can access multiple web-based applications without having to re-authenticate. Additionally, it provides interfaces for applications to store generic key-value pairs and to register callback listeners which will be invoked when the SSO token is destroyed.

After a user has been authenticated, it is possible to get an SSO token (either through Java interfaces, or from HTTP headers). This SSO token is the basis for providing a Single Sign-On solution. All DSAME's services and interfaces (except for authentication) need a valid SSO token to process the request. Other applications wishing to participate in the SSO solution must use the SSO token to validate the user's identity.

DSAME's SSO component mainly provides Java interfaces (that is, Java SDK) for applications to participate in the SSO solution. The SSO provides a federated architecture by which different single-sign-on solutions can be plugged in. Figure Figure 4-1 shows the Java SDK architecture of SSO.

Figure 4-1   

SSO SDK Architecture


Overview of SSO Classes/Interfaces

This section provides some overview information of the SSO classes and interfaces. Some of the SSO classes discussed are shown in Figure 4-1.

The main class is SSOTokenManager, which is also the only concrete class in the Single Sign-On component. It provides methods to create, get, and validate SSO tokens. It is a final class and is a singleton. Other classes SSOToken, SSOTokenID, and SSOProvider are Java interfaces. Additionally, the SSO SDK provides SSOTokenListener and SSOTokenEvent to support notification when SSO tokens are invalidated.

The SSOTokenManager maintains a configuration database of the valid SSO providers (that is, valid implementations for SSOProvider, SSOToken and SSOTokenID).

The SSOTokenManager constructor will try to find the provider JAR files, load them, then find the provider mainclass, instantiate it, and store it in the provider (SSOProvider). Providers can be configured using the providerimplclass Java property (which is stored in the <dsame_root>/web-apps/services/WEB-INF/classes/ SSOConfig.properties file). This property must be set to the complete (absolute) package name of the main class of the provider. The main class MUST implement the com.iplanet.sso.SSOProvider interface and MUST have a public no-arg default constructor.

A request to SSOTokenManager gets delegated to one of the providers (SSOProvider). Thus, the SSOProvider class performs the bulk of the function of SSOTokenManager. The SSOTokenID is a string representation of SSOToken.

The SSOToken class represents a "single sign-on" (SSO) token. It contains SSO token-related information such as authentication method used for authentication, authentication level of the authentication method, hostname of the client that sent the request (browser). It also contains session-related information such as maximum session time, maximum session idle time and session idle time.


Note In DSAME 5.0, you cannot integrate your own SSO provider. This may be supported in a future release.


The SSOTokenID class is used to identify an SSOToken object. Additionally, the SSOToken ID string contains a random number, an SSO server host, and an SSO server port. The random string in the SSOTokenID is unique on a given server.

In the case of services written using a servlet container, the SSOTokenID (not the SSO token object) can be communicated from one servlet to another in one of the following ways:

  • as a cookie in http header; or

  • SSOTokenListener interface needs to be implemented by the applications to receive SSO token events.

The SSOTokenEvent class represents an SSO token event. A token is granted when a change in the state of the token occurs. The SSO token event represents a change in SSOToken. The following are possible SSO token event types: SSO_TOKEN_IDLE_TIMEOUT, SSO_TOKEN_MAX_TIMEOUT, and SSO_TOKEN_DESTROY.

The SSO token provides a listener mechanism for applications that need notification when the SSO token expires. The SSO token could expire because it could have reached its maximum session time, or idle time, or an administrator could have terminated the session. Applications wishing to be notified must register a callback object (which implements the SSOTokenListener interface) with the SSO token. The callback object will be invoked when the SSO token expires. Using the SSOTokenEvent (provided through the callback), applications can determine the time, and the cause for the SSO token to expire.


Note The DSAME 5.0 SSO APIs cannot be used in a multi-JVM environment, such as for iPlanet Application Server.


The SSOException class is thrown when there are errors related to SSOToken operations.

For detailed information on the public Single Sign-On APIs in this release, see the Javadocs, which are located in the /opt/SUNWam/web-apps/services/docs/en_USjavadocs directory. (The directory name may vary, depending on the language version that has been installed.)


SSO Feature Intended for SSO Client Applications

The primary purpose of the SSO APIs provided in DSAME 5.0 is for SSO client applications. SSO client applications can include any service or application that a service or application developer wants to make use of the Single Sign-On feature. These SSO client applications use the SSO token to validate Single Sign-On.

The SSO service generates the SSOToken for a user after the user is authenticated. Once the token is generated, it is carried along with the user as the user moves around the web. When that user tries to access any application or service (that is "SSO-aware" or "SSO-enabled"), such applications or services use the token to validate that user has already signed in.

You can use the the SSO service in DSAME 5.0 without any configuration or customization.


Public SSO Classes/Interfaces

The following is a list of the public SSO interfaces that you can use to create and customize your applications and services. Refer to the Javadocs for more information on functionality and how to use these interfaces to implement your own SSO client applications and services in DSAME 5.0. (The Javadocs are located in the /opt/SUNWam/web-apps/services/docs/en_US/javadocs directory. (The directory name may vary, depending on the language version that has been installed.)

  • SSOTokenManager

  • SSOToken

  • SSOTokenListener

  • SSOTokenEvent

  • SSOTokenID

  • SSOException


Implementing an SSO Solution

To implement an SSO solution (Single Sign-On service or application) there must be a way to keep track of user identification after the user is authenticated. The user identification will contain information such as:

  • user's name

  • authentication method by which the user is authenticated

  • authentication level of the authentication method used

You can use this information to get the identity of the user and to give seamless access to the protected web resources.

DSAME provides a set of SSO Java API for the purpose of implementing your own SSO solution. Using these APIs, you can obtain the identity of the user and get authentication information related to the user. The applications can use this information to determine whether to provide access to a resource that a user or device requests access to. For overview information, see "Overview of SSO Classes/Interfaces". Also refer to the Javadocs for the SSO APIs. The Javadocs are located in the /opt/SUNWam/web-apps/services/docs/en_USjavadocs directory. (The directory name may vary, depending on the language version that has been installed.)

For example, say a user authenticates to a site http://www.sun.com/SunStore successfully. The user can later access another protected page http://www.sun.com/UpdateMyInfo. The UpdateMyInfo application will need to authenticate the user again to verify the identity of the user. Instead, this application can use the SSO APIs to determine if the user accessing the UpdateMyInfo application is already authenticated or not. If the SSO API methods indicate that the user is valid and has been authenticated already, then access to this page can be given directly without the user needing to authenticate again. Otherwise, the user may be prompted to authenticate again.

As an example, service developers can use the SSO Java APIs in the following way to determine if the user is already authenticated. (Additionally, the SSO APIs can be used to do things like perform a query on the token for information such as hostname, IP address, idle time, etc.) Refer to Code Example 4-1.

Code Example 4-1    SSO Code Sample To Determine If User Is Already Authenticated  
try {
ServletOutputStream out = response.getOutputStream();

/* create the sso token from http requeest */
SSOTokenManager manager = SSOTokenManager.getInstance();
SSOToken token = manager.createSSOToken(request);

/* use isValid to method to check if the token is valid or not
* this method retuns true for valid token, false otherise
*/
if (manager.isValidToken(token)) {
/* let us get all the values from the token */

String host = token.getHostName();
java.security.Principal principal = token.getPrincipal();
String authType = token.getAuthType();
int level = token.getAuthLevel();
InetAddress ipAddress = token.getIPAddress();
long maxTime = token.getMaxSessionTime();
long idleTime = token.getIdleTime();
long maxIdleTime = token.getMaxIdleTime();
out.println("SSOToken host name: " + host);
out.println("SSOToken Principal name: " + principal.getName());
out.println("Authentication type used: " + authType);
out.println("IPAddress of the host: " +
ipAddress.getHostAddress());
}
/* let us try to validate the token again, with another method
* if token is invalid, this method throws excpetion
*/
manager.validateToken(token);

/* let us get the SSOTokenID associated with the token */
SSOTokenID tokenId = token.getTokenID();

String id = tokenId.toString();

/* print the string representation of the token */

out.println("The token id is " + id);

/* let us set some properties in the token. We can get the values
* of set properties later
*/
token.setProperty("Company", "Sun Microsystems");
token.setProperty("Country", "USA");
String name = token.getProperty("Company");
String country = token.getProperty("Country");

out.println("Property: Company is - " + name);
out.println("Property: Country is - " + country);

out.println("SSO Token Validation test Succeeded");
/* let us add a listener to the SSOToken. Whenever a token
* event arrives, ssoTokenChanged method of the listener will
* get called.
*/
SSOTokenListener myListener = new SampleTokenListener();

token.addSSOTokenListener(myListener);
out.flush();
} catch (Exception e) {
System.out.println("Exception Message: " + e.getMessage());
e.printStackTrace();
}
}
}

In some cases, you might find it more efficient and convenient to use SSOTokenManager.validateToken(token) than SSOTokenManager.isValidToken(token). SSOTokenManager.validToken(token) throws an SSOException when the token is invalid, thus terminating the method execution right away.

The SSO Java APIs can be used only for Web-based SSO. The APIs are not intended to be used in standalone existing non-Web applications to provide single-sign-on functionality. For example, you cannot use the SSO functions to modify an existing standalone Java application to participate in SSO.

It is also possible to get the SSO token if the SSO token ID string is passed to the applications. The example in that case would be something like this:

Code Example 4-2    Code Sample To Get SSO Token If SSO Token ID Is Passed To Applications
SSOTokenManager manager=SSOTokenManager.getInstance();
SSOToken token = manager.CreateSSOToken(tokenString);
* let us get the SSOTokenID associated with the token */
SSOTokenID id = token.getTokenID();

String tokenId = id.toString();

/* print the string representation of the token */

System.out.println("The token ID is " + tokenId);

/* let us set some properties in the token. We can get the values
* of set properties later
*/
token.setProperty("Company", "Sun Microsystems");
token.setProperty("Country", "USA");
String name = token.getProperty("Company");
String country = token.getProperty("Country");

System.out.println("Property: Company is - " + name);
System.out.println("Property: Country is - " + country);

System.out.println("SSO Token Validation test Succeeded");
/* let us add a listener to the SSOToken. Whenever a token
* event arrives, ssoTokenChanged method of the listener will
* get called.
*/
SSOTokenListener myListener = new SampleTokenListener();

token.addSSOTokenListener(myListener);
} catch (Exception e) {
System.out.println(e.getMessage());
e.printStackTrace();
SSOTokenManager manager=SSOTokenManager.getInstance();
SSOToken token = manager.CreateSSOToken(tokenString);
}
}

The applications may also listen for SSO Token events. It is possible that while a user is using an application, an SSO Token may become invalid. There may be several reasons why this may happen. The user's access time out because of the maximum time limit for a user's continuous access of resources. It could become invalid if the user fails to log out of an application and the idle time-out has expired. The application must be informed of such events so that it can terminate the user's access to the application when the tokens become invalid.

The SSO APIs can be used in the following way to get the SSO Token events.

Code Example 4-3    Code Sample To Register For SSOToken Events
SSOTokenListener myListener = new SampleTokenListener();
token.addSSOTokenListener(myListener);

where SampleTokenListener is a class defined as follows:

Code Example 4-4    Code Sample Showing SampleTokenListener Class Defined
public class SampleTokenListener implements SSOTokenListener {

public void ssoTokenChanged(SSOTokenEvent event) {
try {
SSOToken token = event.getToken();
int type = event.getType();
long time = event.getTime();

SSOTokenID id = token.getTokenID();

System.out.println("Token id is: " + id.toString());

if (SSOTokenManager.getInstance().isValidToken(token)) {
System.out.println("Token is Valid");
} else {
System.out.println("Token is Invalid");
}

switch(type) {
case SSOTokenEvent.SSO_TOKEN_IDLE_TIMEOUT:
System.out.println("Token Idel Timeout event");
break;
case SSOTokenEvent.SSO_TOKEN_MAX_TIMEOUT:
System.out.println("Token Max Timeout event");
break;
case SSOTokenEvent.SSO_TOKEN_DESTROY:
System.out.println("Token Destroyed event");
break;
default:
System.out.println("Unknown Token event");
}
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
}

After the application registers for SSO token events using addSSOTokenListener, any SSO token events will invoke the ssoTokenChanged() method. The application can take a suitable action in this method. See "Overview of SSO Classes/Interfaces" for information on the SSO classes and interfaces' behavior in this release.

Also see the SSO Javadocs for more details on the SSO APIs provided in the DSAME 5.0 release. The Javadocs are located in the /opt/SUNWam/web-apps/services/docs/en_USjavadocs directory. (The directory name may vary, depending on the language version that has been installed.)



Using the SSO Samples


A Readme file and some SSO samples are provided to assist service or application developers in writing, compiling, and running an SSO sample service. Also, there is a Readme.html which provides some information on how to compile and run the SSO sample application:

  • <dsame_root>/samples/sso/Readme.html

  • <dsame_root>/samples/sso/SSOTokenSample.java

  • <dsame_root>/samples/sso/SSOTokenSampleServlet.java

  • <dsame_root>/samples/sso/SampleTokenListener.java

See the information in this section for information on writing and integrating the SSO sample application.


Compiling and Running the SSO Sample Application

This section provides some information on how to use the SSO sample files provided to write, compile, and run an SSO sample application or service.

Additionally, there is a Readme.html file in the <dsame_root>/samples/sso directory that provides some instructions on how to compile and run the SSO sample applications provided. The following three SSO sample files are provided:

  • SSOTokenSample.java

  • SSOTokenSampleServlet.java

  • SampleTokenListener.java

Follow the steps and information in these sections to set environment variables, compile the sample programs, and restart the iPlanet DS and Web servers.


Setting Environment Variables for SSO Sample Programs

  1. Set the following environment variables.

    These environment variables are used to run the make command. You can also set these variables in the Makefile. This Makefile is located in the same directory as the sample files (<dsame_root>/samples/sso).

    1. CLASSPATH—Reference to all the JAR files located in the <dsame_root>/SUNWam/web-apps/services/WEB-INF/lib directory.

    2. JAVA_HOME —Set this variable to the directory where your JDK is installed.


      Note It is not necessary that you use the iPlanet Web Server version of JDK/JRE. You can use any version of JDK, provided that it is newer than version 1.2.2.


    3. BASE_CLASS_DIR—Directory where all the Sample compiled classes will be located.

    4. JAR_DIR—Directory where the JAR files of the sample classes will be created.


Run the gmake Command to Compile the Sample Programs

  1. Go to the directory

    <dsame_root>/SUNWam/samples/sso

    then run:

    gmake

  2. Go to the directory that the JAR_DIR variable is set to. Copy the SSOSample.jar file to the <dsame_root>/SUNWam/web-apps/services/WEB-INF/lib directory.


Register the Sample Servlet

  1. Register the Sample servlet. To do this, insert the lines below at the end of the file:

    <dsame_root>/SUNWam/web-apps/services/WEB-INF/web.xml

    Code Example 4-5    Lines that register Sample servlet to be added to web.xml File

    <servlet>
    <description>SSOTokenSampleServlet</description>
    <servlet-name>SSOTokenSampleServlet</servlet-name>
    <servlet-class>com.iplanet.am.samples.sso.SSOTokenSampleServlet</servlet-class >
    </servlet>
    <servlet-mapping>
    <servlet-name>SSOTokenSampleServlet</servlet-name>
    <url-pattern>/SSOTokenSampleServlet</url-pattern>
    </servlet-mapping>


Restart the DSAME server (and iDS and Web servers)

  1. Restart the server:

    amserver start

    This restarts the DSAME server, the Directory server, and the Web server.

  2. Assign a policy to the SSOTokenSampleServlet; otherwise, you will get an "access denied" page. (You can do this through Admin Console.)

  3. Log in to the DSAME console by typing in the browser:

    <protocol>://<host>:<port>/SSOTokenSampleServlet

    You may have to add a deployment prefix "amserver".

Your sample program should display the output in the browser. In the URL shown in Step 3 above <host> must be a fully-qualified name; for example, salida10.red.iplanet.com.



SSOTokenSampleServlet.java File


The SSOTokenSampleServlet.java file is for creating an SSOToken from an HTTP request object.

Following is the SSOTokenSampleServlet.java file. Refer to "Overview of SSO Classes/Interfaces" for some information on the SSO classes and interfaces' behavior. Also refer to the Javadocs, which are located in the /opt/SUNWam/web-apps/services/docs/en_USjavadocs directory. (The directory name may vary, depending on the language version that has been installed.)

Code Example 4-6    SSOTokenSampleServlet.java File
/**
* $Id: sso.htm,v 1.1 2001/12/11 01:01:17 kellyr Exp $
* Copyright 2001 Sun Microsystems, Inc. Some preexisting
* portions Copyright 2001 Netscape Communications Corp.
* All rights reserved. Use of this product is subject to
* license terms. Federal Acquisitions: Commercial Software --
* Government Users Subject to Standard License Terms and
* Conditions.
*
* Sun, Sun Microsystems, the Sun logo, and iPlanet are
* trademarks or registered trademarks of Sun Microsystems, Inc.
* in the United States and other countries. Netscape and the
* Netscape N logo are registered trademarks of Netscape
* Communications Corporation in the U.S. and other countries.
* Other Netscape logos, product names, and service names are
* also trademarks of Netscape Communications Corporation,
* which may be registered in other countries.
*/

package com.iplanet.am.samples.sso;

import java.net.*;
import javax.servlet.*;
import javax.servlet.http.*;
import com.iplanet.sso.*;

/**
* This Sample serves as a basis for using SSO API. It demonstrates creating
* a SSO Token, calling various methods from the token, setting up event
* listeners and getting called on event listeners. For detailed info refer to the
* Readme.txt
*
* @see com.iplanet.sso.SSOToken
* @see com.iplanet.sso.SSOTokenID
* @see com.iplanet.sso.SSOTokenManager
* @see com.iplanet.sso.SSOTokenEvent
* @see com.iplanet.sso.SSOTokenListener
*/

public class SSOTokenSampleServlet extends HttpServlet {

public void init() throws ServletException {
}

public void doGet(HttpServletRequest request, HttpServletResponse response){

try {
ServletOutputStream out = response.getOutputStream();

/* create the sso token from http requeest */
SSOTokenManager manager = SSOTokenManager.getInstance();
SSOToken token = manager.createSSOToken(request);

/* use isValid to method to check if the token is valid or not
* this method retuns true for valid token, false otherise
*/
if (manager.isValidToken(token)) {
/* let us get all the values from the token */

String host = token.getHostName();
java.security.Principal principal = token.getPrincipal();
String authType = token.getAuthType();
int level = token.getAuthLevel();
InetAddress ipAddress = token.getIPAddress();
long maxTime = token.getMaxSessionTime();
long idleTime = token.getIdleTime();
long maxIdleTime = token.getMaxIdleTime();
out.println("SSOToken host name: " + host);
out.println("SSOToken Principal name: " + principal.getName());
out.println("Authentication type used: " + authType);
out.println("IPAddress of the host: " +
ipAddress.getHostAddress());
}
/* let us try to validate the token again, with another method
* if token is invalid, this method throws excpetion
*/
manager.validateToken(token);

/* let us get the SSOTokenID associated with the token */
SSOTokenID tokenId = token.getTokenID();

String id = tokenId.toString();

/* print the string representation of the token */

out.println("The token id is " + id);

/* let us set some properties in the token. We can get the values
* of set properties later
*/
token.setProperty("Company", "Sun Microsystems");
token.setProperty("Country", "USA");
String name = token.getProperty("Company");
String country = token.getProperty("Country");

out.println("Property: Company is - " + name);
out.println("Property: Country is - " + country);

out.println("SSO Token Validation test Succeeded");
/* let us add a listener to the SSOToken. Whenever a token
* event arrives, ssoTokenChanged method of the listener will
* get called.
*/
SSOTokenListener myListener = new SampleTokenListener();

token.addSSOTokenListener(myListener);
out.flush();
} catch (Exception e) {
System.out.println("Exception Message: " + e.getMessage());
e.printStackTrace();
}
}
}



SampleTokenListener.java


Following is the SampleTokenListener.java file. Refer to "Overview of SSO Classes/Interfaces" for some information on the SSO APIs' behavior; also refer to the Javadocs for more information. (The Javadocs are located in the /opt/SUNWam/web-apps/services/docs/en_USjavadocs directory. (The directory name may vary, depending on the language version that has been installed.)

Code Example 4-7    SampleTokenListener.java File  
/**
* $Id: sso.htm,v 1.1 2001/12/11 01:01:17 kellyr Exp $
* Copyright 2001 Sun Microsystems, Inc. Some preexisting
* portions Copyright 2001 Netscape Communications Corp.
* All rights reserved. Use of this product is subject to
* license terms. Federal Acquisitions: Commercial Software --
* Government Users Subject to Standard License Terms and
* Conditions.
*
* Sun, Sun Microsystems, the Sun logo, and iPlanet are
* trademarks or registered trademarks of Sun Microsystems, Inc.
* in the United States and other countries. Netscape and the
* Netscape N logo are registered trademarks of Netscape
* Communications Corporation in the U.S. and other countries.
* Other Netscape logos, product names, and service names are
* also trademarks of Netscape Communications Corporation,
* which may be registered in other countries.
*/

package com.iplanet.am.samples.sso;

import com.iplanet.sso.*;

/**
* This is the SSO token listener class to listen for sso token events.
* Token events are received when the token state changes. The ssoTokenChanged
* is the method that gets called when the event arrives.
*/
public class SampleTokenListener implements SSOTokenListener {

public void ssoTokenChanged(SSOTokenEvent event) {
try {
SSOToken token = event.getToken();
int type = event.getType();
long time = event.getTime();

SSOTokenID id = token.getTokenID();

System.out.println("Token id is: " + id.toString());

if (SSOTokenManager.getInstance().isValidToken(token)) {
System.out.println("Token is Valid");
} else {
System.out.println("Token is Invalid");
}

switch(type) {
case SSOTokenEvent.SSO_TOKEN_IDLE_TIMEOUT:
System.out.println("Token Idel Timeout event");
break;
case SSOTokenEvent.SSO_TOKEN_MAX_TIMEOUT:
System.out.println("Token Max Timeout event");
break;
case SSOTokenEvent.SSO_TOKEN_DESTROY:
System.out.println("Token Destroyed event");
break;
default:
System.out.println("Unknown Token event");
}
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
}



SSOTokenSampleServlet.java File


The SSOTokenSampleServlet.java file can be used to create an SSOToken from an SSOTokenID string.


Note A sample .java file is provided to create an SSOToken sample servlet in the DSAME 5.0 release. You should note, however, that the Single Sign-On feature in DSAME 5.0 is primarily web-based.


Following is the SSOTokenSample.java file. Refer to earlier in this chapter for some brief explanations on how part of this sample code works; also refer to the Javadocs for more information.

Code Example 4-8    SSOTokenSample.java File
/**
* $Id: sso.htm,v 1.1 2001/12/11 01:01:17 kellyr Exp $
* Copyright 2001 Sun Microsystems, Inc. Some preexisting
* portions Copyright 2001 Netscape Communications Corp.
* All rights reserved. Use of this product is subject to
* license terms. Federal Acquisitions: Commercial Software --
* Government Users Subject to Standard License Terms and
* Conditions.
*
* Sun, Sun Microsystems, the Sun logo, and iPlanet are
* trademarks or registered trademarks of Sun Microsystems, Inc.
* in the United States and other countries. Netscape and the
* Netscape N logo are registered trademarks of Netscape
* Communications Corporation in the U.S. and other countries.
* Other Netscape logos, product names, and service names are
* also trademarks of Netscape Communications Corporation,
* which may be registered in other countries.
*/

package com.iplanet.am.samples.sso;

import java.net.*;
import com.iplanet.sso.*;

/**
* This sample serves as a basis for using SSO API. It demonstrates creating
* a SSO Token, calling various methods from the token, setting up event
* listeners and getting called on event listeners. Refer to the Readme.txt for
* detailed info on how to use this sample.
*
* @see com.iplanet.sso.SSOToken
* @see com.iplanet.sso.SSOTokenID
* @see com.iplanet.sso.SSOTokenManager
* @see com.iplanet.sso.SSOTokenEvent
* @see com.iplanet.sso.SSOTokenListener
*/

public class SSOTokenSample {
public static void main(String[] args) {

try {
SSOTokenManager manager = SSOTokenManager.getInstance();

SSOToken token = manager.createSSOToken(args[0]);

/* use isValid method to check if the token is valid or not
* this method retuns true for valid token, false otherise
*/
if (manager.isValidToken(token)) {
/* let us get all the values from the token */

String host = token.getHostName();
java.security.Principal principal = token.getPrincipal();
String authType = token.getAuthType();
int level = token.getAuthLevel();
InetAddress ipAddress = token.getIPAddress();
long maxTime = token.getMaxSessionTime();
long idleTime = token.getIdleTime();
long maxIdleTime = token.getMaxIdleTime();
System.out.println("SSOToken host name: " + host);
System.out.println("SSOToken Principal name: " +
principal.getName());
System.out.println("Authentication type used: " + authType);
System.out.println("IPAddress of the host: " +
ipAddress.getHostAddress());
}
/* let us try to validate the token again, with another method
* if token is invalid, this method throws an excpetion
*/
manager.validateToken(token);

/* let us get the SSOTokenID associated with the token */
SSOTokenID id = token.getTokenID();

String tokenId = id.toString();

/* print the string representation of the token */

System.out.println("The token ID is " + tokenId);

/* let us set some properties in the token. We can get the values
* of set properties later
*/
token.setProperty("Company", "Sun Microsystems");
token.setProperty("Country", "USA");
String name = token.getProperty("Company");
String country = token.getProperty("Country");

System.out.println("Property: Company is - " + name);
System.out.println("Property: Country is - " + country);

System.out.println("SSO Token Validation test Succeeded");
/* let us add a listener to the SSOToken. Whenever a token
* event arrives, ssoTokenChanged method of the listener will
* get called.
*/
SSOTokenListener myListener = new SampleTokenListener();

token.addSSOTokenListener(myListener);
} catch (Exception e) {
System.out.println(e.getMessage());
e.printStackTrace();
}
}
}


Previous     Contents     DocHome     Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated December 05, 2001