public final class ProfileTokenCredential extends AS400Credential implements AS400BasicAuthenticationCredential
A profile token provides a timed credential representing an authenticated system user profile and password. A profile token can be established in either a remote (not running on the target system) or local (running on the target system) context. Once created, it may be serialized or distributed as required by the application.
When referenced from a running process on the associated IBM i system, a profile token can be used to modify or swap the thread identity and perform a specific task or tasks on behalf of the authenticated user. However, a profile token generated on one IBM i system cannot be used to swap thread identity on any other system.
An application of this support would be in a single tier application running on the system when a designated operation must be run under the system authorities and permissions of a specific user profile. A profile token can be used to swap identity prior to performing the operation. Support is also provided to swap back to the original identity upon completion.
Another application of this support might be in a two tier application, with authentication of a user profile and password being performed by a graphical user interface on the first tier (i.e. a PC) and work being performed for that user on the second tier (the IBM i system). By utilizing ProfileTokenCredentials, the application can avoid directly passing the user ID and password over the network. The profile token can be distributed as required to the program on the second tier, which can perform the swap() and run designated operations under the system authorities and permissions assigned to the user.
Note: While inherently more secure than passing a user profile and password due to limited life span, profile tokens should still be considered sensitive information by the application and handled accordingly. Since the token represents an authenticated user and password, it could potentially be exploited by a hostile application to perform work on behalf of that user. It is ultimately the responsibility of the application to ensure that credentials are accessed in a secure manner.
Profile tokens are only supported for IBM i systems at release V4R5M0 or greater.
The following example demonstrates the use of a ProfileTokenCredential when run on the local IBM i system. (Note: swap() is an unsupported remote operation.)
// Prepare to work with the local IBM i system.
AS400 system = new AS400("localhost", "*CURRENT", "*CURRENT");
// Create a single-use ProfileTokenCredential with a 60 second timeout.
// A valid user ID and password must be substituted.
ProfileTokenCredential pt = new ProfileTokenCredential();
pt.setSystem(system);
pt.setTimeoutInterval(60);
pt.setTokenType(ProfileTokenCredential.TYPE_SINGLE_USE);
pt.setTokenExtended("USERID", "PASSWORD");
// Swap the thread identity, retrieving a credential to
// later swap back to the original identity.
AS400Credential cr = pt.swap(true);
// Perform work under the swapped identity at this point.
// Newly-connected AS400 objects will run under the new (swapped-to) identity.
AS400 swapped = new AS400("localhost", "*CURRENT", "*CURRENT");
// Swap back to the original thread identity.
cr.swap();
// Clean up the credentials.
cr.destroy();
pt.destroy();
General restrictions:
Guidelines and restrictions for generating profile tokens based on a specified user profile name and password:
AS400Credential,
Serialized Form| Modifier and Type | Field and Description |
|---|---|
static int |
PW_NOPWD
Password special value indicating that the current password is
not verified.
|
static int |
PW_NOPWDCHK
Password special value indicating that a profile token can be
generated for a profile that is disabled or has an expired password.
|
static int |
TOKEN_LENGTH
Indicates the length of a profile token (in bytes)
|
static int |
TYPE_MULTIPLE_USE_NON_RENEWABLE
ID indicating a multiple use token that cannot be regenerated.
|
static int |
TYPE_MULTIPLE_USE_RENEWABLE
ID indicating a multiple use token that can be regenerated.
|
static int |
TYPE_SINGLE_USE
ID indicating a single use token.
|
CR_AUTO_REFRESH_FAILED, CR_AUTO_REFRESH_NOT_VALID, CR_AUTO_REFRESH_STARTED, CR_AUTO_REFRESH_STOPPED| Constructor and Description |
|---|
ProfileTokenCredential()
Constructs a ProfileTokenCredential object.
|
ProfileTokenCredential(AS400 system,
byte[] token,
int tokenType,
int timeoutInterval)
Constructs and initializes a ProfileTokenCredential object.
|
| Modifier and Type | Method and Description |
|---|---|
void |
allowRefresh()
Notify the wait thread to refresh profile token credential.
|
boolean |
equals(java.lang.Object o)
Compares the specified Object with the credential
for equality.
|
int |
getTimeoutInterval()
Returns the number of seconds to expiration assigned
when the token was last initialized or refreshed.
|
byte[] |
getToken()
Returns the actual bytes for the token as it exists
on the IBM i system.
|
int |
getTokenType()
Returns an integer indicating the type assigned when
the token was last initialized or refreshed.
|
int |
hashCode()
Returns a hash code for this credential.
|
void |
initialize(AS400BasicAuthenticationPrincipal principal,
char[] password,
boolean isPrivate,
boolean isReusable,
boolean isRenewable,
int timeoutInterval)
Initializes and validates a credential for the local IBM i system.
|
void |
initialize(AS400BasicAuthenticationPrincipal principal,
java.lang.String password,
boolean isPrivate,
boolean isReusable,
boolean isRenewable,
int timeoutInterval)
Deprecated.
Use initialize(AS400BasicAuthenticationPrincipal principal,
char[] password, boolean isPrivate, boolean isReusable,
boolean isRenewable, int timeoutInterval) instead.
|
boolean |
isRenewable()
Indicates if the credential can be refreshed.
|
boolean |
isReusable()
Indicates if the credential can be used multiple
times prior to expiration.
|
void |
preventRefresh()
Block the thread to refresh profile token credential.
|
void |
refresh()
Updates or extends the validity period for the credential.
|
void |
refresh(int type,
int timeoutInterval)
Updates or extends the validity period for the credential.
|
void |
setTimeoutInterval(int seconds)
Sets the number of seconds to expiration when the
token is generated or refreshed.
|
void |
setToken(AS400Principal principal,
int passwordSpecialValue)
Sets the token bytes based on the provided principal and
special value for a password.
|
void |
setToken(AS400Principal principal,
java.lang.String password)
Deprecated.
As of V5R3, replaced
by
setTokenExtended(AS400Principal,String) for password strings
or setToken(AS400Principal,int) for password special values. |
void |
setToken(byte[] bytes)
Sets the actual bytes for the token as it exists
on the IBM i system.
|
void |
setToken(java.lang.String name,
int passwordSpecialValue)
Sets the token bytes based on the provided user profile and
special value for a password.
|
void |
setToken(java.lang.String name,
java.lang.String password)
Deprecated.
As of V5R3, replaced
by
setTokenExtended(String,String) for password strings
or setToken(String,int) for password special values. |
void |
setTokenExtended(AS400Principal principal,
char[] password)
Sets the token bytes based on the provided principal and password.
|
void |
setTokenExtended(AS400Principal principal,
java.lang.String password)
Deprecated.
Use setTokenExtended(AS400Principal principal, char[] password) instead
|
void |
setTokenExtended(java.lang.String name,
char[] password)
Sets the token bytes based on the provided user profile and password.
|
void |
setTokenExtended(java.lang.String name,
java.lang.String password)
Deprecated.
Use setTokenExtended(String name, char[] password) instead.
|
void |
setTokenType(int type)
Sets the type of token.
|
int |
superHashCode()
Returns the hashcode for the super class @E1A
|
java.lang.String |
toString()
Returns a string representation of the object
|
addCredentialListener, addPropertyChangeListener, addVetoableChangeListener, basicAuthenticationPrompt, destroy, finalize, getAutomaticRefreshFailure, getAutomaticRefreshStatus, getPrincipal, getSystem, getTimeToExpiration, isCurrent, isDestroyed, isPrivate, isTimed, removeCredentialListener, removePropertyChangeListener, removeVetoableChangeListener, setPrincipal, setSystem, startAutomaticRefresh, stopAutomaticRefresh, swap, swapbasicAuthenticationPrompt, isPrivatepublic static final int TYPE_SINGLE_USE
public static final int TYPE_MULTIPLE_USE_NON_RENEWABLE
public static final int TYPE_MULTIPLE_USE_RENEWABLE
public static final int TOKEN_LENGTH
public static final int PW_NOPWD
The user requesting the profile token must have *USE authority to the user profile.
This value is not allowed if the name of the currently running profile is specified for the user profile name parameter.
public static final int PW_NOPWDCHK
The user requesting the profile token must have *USE authority to the user profile.
If the profile is disabled, the user requesting the profile token must have *ALLOBJ and *SECADM special authorities to get a token.
If the password is expired, the user requesting the profile token must have *ALLOBJ and *SECADM special authorities to get a token.
If the requesting user does not have *ALLOBJ and *SECADM special authorities, then the request will be handled as if they had indicated *NOPWD.
public ProfileTokenCredential()
The system and token must be set prior to accessing host information or taking action against the credential.
public ProfileTokenCredential(AS400 system, byte[] token, int tokenType, int timeoutInterval)
The system, token, tokenType, and timeoutInterval properties are initialized to the specified values.
This method allows a credential to be constructed based on an existing token (i.e. previously created using the QSYGENPT system API). It is the responsibility of the application to ensure the tokenType and timeoutInterval are consistent with the specified token value.
system - The system associated with the credential.token - The actual bytes for the token as it exists on the
IBM i system.tokenType - The type of token provided.
Possible types are defined as fields on this class:
timeoutInterval - The number of seconds to expiration, used as the
default value when the token is refreshed (1-3600).public boolean equals(java.lang.Object o)
equals in class java.lang.Objecto - Object to be compared for equality.public int getTimeoutInterval()
This value also provides the default value for subsequent refresh attempts.
The default value is 3600 (1 hour).
public byte[] getToken()
public int getTokenType()
This value also provides the default value for subsequent refresh attempts.
The default is TYPE_SINGLE_USE.
public int superHashCode()
public int hashCode()
hashCode in class java.lang.Objectpublic void initialize(AS400BasicAuthenticationPrincipal principal, java.lang.String password, boolean isPrivate, boolean isReusable, boolean isRenewable, int timeoutInterval) throws java.lang.Exception
initialize in interface AS400BasicAuthenticationCredentialprincipal - The principal identifying the authenticated user.
If not an instance of AS400Principal, a corresponding
UserProfilePrincipal is generated and assigned.password - The password for the authenticated user.isPrivate - Indicates whether the credential is considered private.isReusable - true if the credential can be used to swap
thread identity multiple times;
otherwise false.isRenewable - true if the validity period of the credential
can be programmatically updated or extended;
otherwise false.timeoutInterval - The number of seconds to expiration when the credential
is initially created; ignored if the credential
does not expire based on time.java.lang.Exception - If an exception occurs.public void initialize(AS400BasicAuthenticationPrincipal principal, char[] password, boolean isPrivate, boolean isReusable, boolean isRenewable, int timeoutInterval) throws java.lang.Exception
initialize in interface AS400BasicAuthenticationCredentialprincipal - The principal identifying the authenticated user.
If not an instance of AS400Principal, a corresponding
UserProfilePrincipal is generated and assigned.password - The password for the authenticated user.isPrivate - Indicates whether the credential is considered private.isReusable - true if the credential can be used to swap
thread identity multiple times;
otherwise false.isRenewable - true if the validity period of the credential
can be programmatically updated or extended;
otherwise false.timeoutInterval - The number of seconds to expiration when the credential
is initially created; ignored if the credential
does not expire based on time.java.lang.Exception - If an exception occurs.public boolean isRenewable()
isRenewable in class AS400Credentialrefresh()public boolean isReusable()
public void refresh()
throws AS400SecurityException
Does nothing if the credential cannot be programmatically updated or extended.
Otherwise, generates a new profile token based on the previously established token, type, and timeoutInterval.
refresh in class AS400CredentialAS400SecurityException - If an IBM i system security or authentication error occurs.public void refresh(int type,
int timeoutInterval)
throws AS400SecurityException
Does nothing if the credential cannot be programmatically updated or extended.
Otherwise, generates a new profile token based on the previously established token with the given type and timeoutInterval.
If successful, the specified type and interval become the default values for future refresh attempts.
This method is provided to handle cases where it is desirable to allow for a more restrictive type of token or a different timeout interval when a new token is generated during the refresh.
type - The type of token.
Possible types are defined as fields on this class:
timeoutInterval - The number of seconds before expiration (1-3600).AS400SecurityException - If an IBM i system security or authentication error occurs.ExtendedIllegalArgumentException - If a parameter value is out of range.public void setTimeoutInterval(int seconds)
throws java.beans.PropertyVetoException
It is the application's responsibility to maintain consistency between explicitly set token values (those not generated from a user and password) and the tokenType and timeoutInterval.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
seconds - The number of seconds to expiration (1-3600).java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If the provided value is out of range.ExtendedIllegalStateException - If the property cannot be changed due
to the current state.public void setToken(byte[] bytes)
throws java.beans.PropertyVetoException
This method allows a credential to be constructed based on an existing token (i.e. previously created using the QSYGENPT system API). It is the responsibility of the application to ensure the tokenType and timeoutInterval are consistent with the specified token value.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
bytes - The token bytes.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If the provided value is not the correct
length.ExtendedIllegalStateException - If the property cannot be changed due
to the current state.public void setToken(AS400Principal principal, java.lang.String password) throws java.beans.PropertyVetoException, AS400SecurityException
setTokenExtended(AS400Principal,String) for password strings
or setToken(AS400Principal,int) for password special values.The system property must be set prior to invoking this method.
If successful, this method results in a new token being created on the IBM i system. The new token is generated using the previously established tokenType and timeoutInterval settings.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
principal - The principal identifying the user profile for
which the token is to be generated.password - The user profile password. The following special values are allowed:
AS400SecurityException - If an IBM i system security or authentication error occurs.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If errors occur during parameter validation.ExtendedIllegalStateException - If the token cannot be initialized due
to the current state.public void setToken(java.lang.String name,
java.lang.String password)
throws java.beans.PropertyVetoException,
AS400SecurityException
setTokenExtended(String,String) for password strings
or setToken(String,int) for password special values.The system property must be set prior to invoking this method.
If successful, this method results in a new token being created on the IBM i system. The new token is generated using the previously established tokenType and timeoutInterval settings.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
name - The name of the user profile for which the token
is to be generated.password - The user profile password. The following special values are allowed:
AS400SecurityException - If an IBM i system security or authentication error occurs.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If errors occur during parameter validation.ExtendedIllegalStateException - If the token cannot be initialized due
to the current state.public void setToken(AS400Principal principal, int passwordSpecialValue) throws java.beans.PropertyVetoException, AS400SecurityException
This method requires a special value to be specified for
the user password parameter. If you need to validate a user password,
see the setTokenExtended(AS400Principal, String).
The system property must be set prior to invoking this method.
If successful, this method results in a new token being created on the IBM i system. The new token is generated using the previously established tokenType and timeoutInterval settings.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
principal - The principal identifying the user profile for
which the token is to be generated.passwordSpecialValue - The special value for the user profile password.
The following special values are allowed:
AS400SecurityException - If an IBM i system security or authentication error occurs.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If errors occur during parameter validation.ExtendedIllegalStateException - If the token cannot be initialized due
to the current state.public void setToken(java.lang.String name,
int passwordSpecialValue)
throws java.beans.PropertyVetoException,
AS400SecurityException
This method requires a special value to be specified for
the user password parameter. If you need to validate a user
password, see the setTokenExtended(String, String).
The system property must be set prior to invoking this method.
If successful, this method results in a new token being created on the IBM i system. The new token is generated using the previously established tokenType and timeoutInterval settings.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
name - The name of the user profile for which the token
is to be generated.passwordSpecialValue - The special value for the user profile password.
The following special values are allowed:
AS400SecurityException - If an IBM i system security or authentication error occurs.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If errors occur during parameter validation.ExtendedIllegalStateException - If the token cannot be initialized due
to the current state.public void setTokenExtended(AS400Principal principal, java.lang.String password) throws java.beans.PropertyVetoException, AS400SecurityException
The system property must be set prior to invoking this method.
If successful, this method results in a new token being created on the IBM i system. The new token is generated using the previously established tokenType and timeoutInterval settings.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
principal - The principal identifying the user profile for
which the token is to be generated.password - The user profile password.AS400SecurityException - If an IBM i system security or authentication error occurs.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If errors occur during parameter validation.ExtendedIllegalStateException - If the token cannot be initialized due
to the current state.public void setTokenExtended(AS400Principal principal, char[] password) throws java.beans.PropertyVetoException, AS400SecurityException
The system property must be set prior to invoking this method.
If successful, this method results in a new token being created on the IBM i system. The new token is generated using the previously established tokenType and timeoutInterval settings.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
principal - The principal identifying the user profile for
which the token is to be generated.password - The user profile password.AS400SecurityException - If an IBM i system security or authentication error occurs.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If errors occur during parameter validation.ExtendedIllegalStateException - If the token cannot be initialized due
to the current state.public void setTokenExtended(java.lang.String name,
java.lang.String password)
throws java.beans.PropertyVetoException,
AS400SecurityException
The system property must be set prior to invoking this method.
If successful, this method results in a new token being created on the IBM i system. The new token is generated using the previously established tokenType and timeoutInterval settings.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
name - The name of the user profile for which the token
is to be generated.password - The user profile password.AS400SecurityException - If an IBM i system security or authentication error occurs.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If errors occur during parameter validation.ExtendedIllegalStateException - If the token cannot be initialized due
to the current state.public void setTokenExtended(java.lang.String name,
char[] password)
throws java.beans.PropertyVetoException,
AS400SecurityException
The system property must be set prior to invoking this method.
If successful, this method results in a new token being created on the IBM i system. The new token is generated using the previously established tokenType and timeoutInterval settings.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
name - The name of the user profile for which the token
is to be generated.password - The user profile password.AS400SecurityException - If an IBM i system security or authentication error occurs.java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If errors occur during parameter validation.ExtendedIllegalStateException - If the token cannot be initialized due
to the current state.public void setTokenType(int type)
throws java.beans.PropertyVetoException
It is the application's responsibility to maintain consistency between explicitly set token values (those not generated from a user and password) and the tokenType and timeoutInterval.
This property cannot be changed once a request initiates a connection for the object to the IBM i system (for example, refresh).
type - The type of token.
Possible types are defined as fields on this class:
java.beans.PropertyVetoException - If the change is vetoed.ExtendedIllegalArgumentException - If the provided value is out of range.ExtendedIllegalStateException - If the property cannot be changed due
to the current state.public java.lang.String toString()
toString in class java.lang.Objectpublic void preventRefresh()
throws java.lang.InterruptedException
java.lang.InterruptedExceptionpublic void allowRefresh()