I have a situation where a web application is calling some JAX-RPC web service.
My program will inject the Username Security Token by calling a javax.security.auth.callback.CallbackHandler class that I made.
I will like to use the userid/password that is visible in the request object.
When the CallbackHandler method is called, the request object is not visible in the method.
I'm trying to figure out how to access the userid/password within the CallbackHandler, that do not have access to request object (or session).
I think I have a solution, but not sure if it works all the time.
If anyone can give me input on the validity of this method it will be great.
Here is my solution:
In the CallbackHandler object that I created, I put a static HashMap object that will (should) stay persistent on JVM.
When the application is handling the request from a user, (The request object is visible) I put the userid/password in the static HashMap using Thread.currentThread().getId() as a key.
When the CallbackHandler is called by my web application server, (request object is not visible) I retrieve the userid/password from the HashMap again using Thread.currentThread().getId() as a key.
The idea behind this is that when a request is made to a web app, each request is handled by single thread per request.
Therefore the Thread id can be used as a key even when the callback handler is invoked by the application server (Not directly by my code) automatically behind the scene.
This should work if the callback handler is guaranteed to be called by the same thread.
But I'm not sure if that is the case.
I use IBM WebSphere application server 6.1.
My small scale test indicates that it works.
However if anyone can give me any input on this it will be great.