Before you begin
Java Authentication and Authorization Service (JAAS) is a new feature in WebSphere Application Server. It is a collection of WebSphere Application Server strategic authentication APIs and replaces the Common Object Request Broker Architecture (CORBA) programmatic login APIs.
WebSphere Application Server provides some extensions to JAAS:
If
you do not want to use the Proxy LoginModule, you can place the LoginModule
in the jre/lib/ext directory. However, this is not recommended due
to the security risks.
Two JAAS login configurations are defined in the WebSphere Configuration API security document for applications to use. In the left navigation pane, click Security > JAAS Configuration > Application Login > WSLogin and ClientContainer. The following three JAAS login configurations are available:
A new JAAS login configuration can be added and modified using the administrative console. The changes are saved in the cell-level security document and are available to all managed application servers. An application server restart is required for the changes to take effect at run time.
Note: Do not remove or delete the predefined JAAS login configurations (ClientContainer, WSLogin and DefaultPrincipalMapping). Deleting or removing them can cause other enterprise applications to fail.
Steps for this task
Click Apply to save changes and to add the extra node name that precedes the original alias name. Clicking OK does not save the new changes in the security.xml file.
If you place the login module within the EAR file, it is accessible to the specific application only.
If you place the login module in the shared library, you must specify which applications can access the module. For more information on shared libraries, see Managing shared libraries.
If you place the JAAS login module in the Java extensions directory, the login module is available to all applications.
Although the Java extensions directory provides the greatest availability for the login module, it is recommended that you place the login module in an application EAR file. If other applications need to access the same login module, consider using shared libraries.
Java client programs that use the Java Authentication and Authorization Service (JAAS) for authentication must invoke with the JAAS configuration file specified. This configuration file is set in the /install_root/bin/launchClient.bat file as set JAAS_LOGIN_CONFIG=-Djava.security.auth.login.config=%install_root%\properties\wsjaas_client.conf. If the launchClient.bat file is not used to invoke the Java client program, verify that the appropriate JAAS configuration file is passed to the Java virtual machine with the -Djava.security.auth.login.config flag.
Results
A new JAAS login configuration is created or an old JAAS login configuration is removed. An enterprise application can use a newly created JAAS login configuration without restarting the application server process.However, new JAAS login configurations defined in the install_root/properties/wsjaas.conf file, do not refresh automatically. Restart the application servers to validate changes. These JAAS login configurations are specific to a particular node and are not available for other application servers running on other nodes.
Example
What to do next
Use these newly defined JAAS login configurations to perform programmatic login.