IBM Security Verify

 View Only

  • 1.  Authorization: Bearer header in junction

    Posted Wed January 16, 2019 12:02 PM
    Hi all,
    We configured a sts chain to send a JWT to a backend server in a junction.
    In the webseal's configuration file I can configure to send the JWT in a cookie or in a Header and i can decide the name of the cookie and the name of the header.
    How can i  send the jwt in a header Authorization : Bearer? (so i need to add Bearer in the value of the header before the JWT)
    if i configure:
    token-transmit-type = header
    token-transmit-name = Authorization
    I have no way to add Bearer in the header's value.
    I tried with 
    token-transmit-name = Authorization : Bearer but it desn't work.


    Is there any parametre or I have to use transformation rules?

    thank you

    ------------------------------
    Ivana Campolongo
    ------------------------------


  • 2.  RE: Authorization: Bearer header in junction

    Posted Thu January 17, 2019 05:52 AM
    I have a solution for this. Add the following Javascript mapping rule to the END of your current STS chain (after the JWT in issue mode). It will pre-pend "Bearer " to the JWT and that's what WebSEAL will downstream.

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);

/*
* This mapping rule is designed to run (in map mode) at the END of an STS chain that already issues a JWT token. 
* What it actually does is take the JWT and re-issue it as a BinarySecurityToken with the string:
* 
*  Bearer <existing_jwt>
*  
*/

var tokenResponse = stsresponse.getRequestSecurityTokenResponse();
var requestedToken = tokenResponse.getRequestedSecurityToken();
if (requestedToken != null) {
	// re-issue with bearer header
	var stringToken = 'Bearer ' + requestedToken.getTextContent();
	
	// create new BST with modified text in it	
	var document          = IDMappingExtUtils.newXMLDocument();
	var myOutputValue     = document.createTextNode(stringToken);
	var myOutputToken     = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "wsse:BinarySecurityToken");
	myOutputToken.setAttribute("ValueType","BearerJWT");
	myOutputToken.setAttribute("EncodingType","urn:jwt:with:bearer:header");
	myOutputToken.appendChild(myOutputValue);

	// set to null first to clear out existing JWT, then set our new token
	tokenResponse.setRequestedSecurityToken(null);
	tokenResponse.setRequestedSecurityToken(myOutputToken);
	
	IDMappingExtUtils.traceString("Final token: " + IDMappingExtUtils.xmlElementToString(myOutputToken));
	
} else {
	IDMappingExtUtils.throwSTSException("No requested security token found");
}


    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Authorization: Bearer header in junction

    Posted Fri January 18, 2019 10:17 AM
    Thank you Shane.

    It works perfectly!

    ------------------------------
    Ivana Campolongo
    ------------------------------

    Original Message