Before you begin
WebSphere Application Server provides principal mapping when Java 2 Connector (J2C) connection factory is configured to perform container managed sign-on. For example, the application server can map the caller principal to a resource principal to open a new connection to the backend server. With the container-managed signon, WebSphere Application Server creates a Subject instance that contains enterprise information systems (EIS) security domain credentials. A Subject object returned by a principal mapping module contains a Principal object represents the caller identity and a PasswordCredential or a GenericCredential. WebSphere Application Server provides a default principal mapping module that maps any authenticated user credentials to password credentials for the EIS security domain. The default mapping module is defined in the Application Login Configuration panel in the DefaultPrincipalMapping entry. The user ID and password for the EIS security domain is defined under each connection factory by an authDataAlias attribute container-managed authentication alias in the administrative console. The authDataAlias attribute does not actually contain the user name and password. An authDataAlias attribute contains an alias that refers to a user name and password pair that is defined in the security configuration document. Since it contains sensitive data, the security configuration document requires the most privileged administrator role for both read and write access. This indirection avoids saving sensitive user name and password in configuration documents other than the security document.The J2C connection factory configuration contains a mapping module, which defines a principal mapping module alias (mappingConfigAlias attribute) and an authentication data alias (authDataAlias attribute). At run time, the J2C-managed connection factory code passes a reference of the ManagedConnectionFactory and an authDataAlias object to the configured principal mapping module through the WSPrincipalMappingCallbackHandler object. WebSphere Application Server supports plugging in a custom principal mapping module for a connection factory if the any-authenticated-to-one mapping provided by the default principal mapping module is insufficient. A custom mapping module is a special purpose Java Authentication and Authorization Service (JAAS) Login Module that performs principal or credential mapping in the login method. The WSSubject.getCallerPrincipal() method can be used to retrieve the application client identity. Plugging in a custom mapping module is very simple. Change the value of the mappingConfigAlias object to the custom mapping module. However, the configuration must be done through the wsadmin tool.
Why and when to perform this task
The following steps are needed to perform
this task. You can use the administrative console for the first few steps.
Use the wsadmin tool for the rest of the configuration.
The
following steps are needed to perform this task. You can use the administrative
console for the first few steps. Use the wsadmin tool for the rest
of the configuration.
Steps for this task
wsadmin>$AdminConfig show PetStore_CF(cells/hillsideNetwork/nodes /hillside/servers/server1:resources.xml#CMPConnectorFactory_4)
The previous example was split onto two lines because it displayed beyond the width of the page.
wsadmin>$AdminConfig show {mapping (cells/hillsideNetwork/nodes /hillside/servers/server1:resources.xml#MappingModule_7)}
The previous example was split onto two lines because it displayed beyond the width of the page.
The following shows sample results of the above command: {authDataAlias {}} {mappingConfigAlias DefaultPrincipalMapping}. As shown in the previous example, the J2C Connection factory is configured to use the DefaultPrincipalMapping login configuration.
wsadmin>$AdminConfig modify {mapping (cells/hillsideNetwork/nodes /hillside/servers/server1:resources.xml#MappingModule_7)} { {mappingConfigAlias myMappingModule}}
The previous example was split onto three lines because it displayed beyond the width of the page.
You can check the result by typing:
wsadmin>$AdminConfig show {mapping (cells/hillsideNetwork/nodes /hillside/servers/server1:resources.xml#MappingModule_7)} {authDataAlias {}} {mappingConfigAlias myMappingModule}
The previous example was split onto three lines because it displayed beyond the width of the page.
Note: The authDataAlias is left undefined. In practice, the authDataAlias passes at run time to the custom mapping module. But using the authDataAlias to look up user ID and password requires the WebSphere Configuration application programming interface (API), which is not available at this time.
Results
A mapping module is defined and is configured for the specified J2C Connection factory.Example
What to do next
To develop your own principal and credential mapping LoginModule, refer to the JAAS documentation for general information. The JAAS documentation can be found at http://www.ibm.com/developerworks/java/jdk/security. Scroll down to find the JAAS documentation for your platform. Refer to the login.html file for details of how to develop JAAS login module.In particular, a mapping module needs to obtain the security identity of the caller. The WSSubject.getCallerPrincipal() static method returns an com.ibm.websphere.security.auth.WSPrincipal object, which represents the security identity of an authenticated caller.