Java 2 Connector security

Java 2 Connector authentication data entries are used by resource adapters and Java database connectivity (JDBC) data sources. A Java 2 Connector authentication data entry contains authentication data.

The connector architecture defines a standard architecture for connecting the Java 2 Platform, Enterprise Edition (J2EE) to heterogeneous enterprise information systems (EIS). Examples of EIS include Enterprise Resource Planning (ERP), mainframe transaction processing (TP) and database systems.

The connector architecture enables an EIS vendor to provide a standard resource adapter for its EIS. A resource adapter is a system-level software driver that is used by a Java application to connect to an EIS. The resource adapter plugs into an application server and provides connectivity between the EIS, the application server, and the enterprise application. You must protect information in EIS from unauthorized access.

The Java 2 Connector security architecture is designed to extend the end-to-end security model for J2EE-based applications to include integration with EISs. An application server and an EIS collaborate to ensure the proper authentication of a resource principal, which establishes a connection to an underlying EIS. The connector architecture identifies the following mechanisms as the commonly-supported authentication mechanisms:

WebSphere Application Server implementation of a Java 2 connection supports basic password authentication mechanisms and asserted identity across local connectors.

When a Java 2 Connector (J2C) or Java database connectivity (JDBC) connector is called, code is driven to perform a getConnection. This method (optionally) takes a user ID and password argument. If the application developer codes a set of user ID and password these are used on the getConnection and subsequently passed to the connector. Specifying a user ID and password is simple but can cause security concern. The user ID and password must be coded into the Java source code, meaning these user credentials are visible if you decompile the Java source, and are also visible to any developer or tester in the organization. Also, WebSphere Application Server runtime cannot change the password periodically without requiring a synchronized code change. Websphere Application Server provides another mechanism to get the user ID and password into the Java Management Extensions (JMX) connector. When a getConnection is performed without a user ID and password, WebSphere Application Server detects this and uses the mechanism described here to apply a user ID and password. If no user ID and password are coded (and no user ID and password are defaulted by alias), WebSphere Application Server runtime looks for a System Authorization Facility (SAF) user ID in the subject and if one is present

The user ID and password for the target EIS is either supplied by applications or by the application server. WebSphere Application Server uses a Java Authentication and Authorization Service (JAAS) pluggable authentication mechanism to perform principal mapping to convert a WebSphere principal to a resource principal. WebSphere Application Server provides a DefaultPrincipalMapping LoginModule module, which basically converts any authenticated principal to the preconfigured Enterprise Information Systems (EIS) resource principal and password. Subsequently, you can plug in a principal mapping LoginModule through the JAAS plug-in mechanism.

J2C mapping module configuration

When a J2C factory is configured for container-managed signon, WebSphere Application Server uses the configured principal mapping module to create a Subject instance that contains a user ID and a password for the target EIS.

Mapping modules are special JAAS login modules that provide principal and credential mapping functionality. You can define and configure custom mapping modules through the administrative console. Associated with the mapping module configuration is a set of user IDs and passwords that you can define in the security configuration with a specified alias name. The WebSphere Application Server run time passes the user ID, password and a reference of the connection factory manager to the configured mapping module to create a subject.

For more detailed information about developing a mapping module, refer to the Developing your own Java 2 security mapping module article.

J2C mapping module programming reference

You can develop your own mapping module if your application requires more sophisticated mapping functions. You can use the WSSubject.getRunAsSubject() method to retrieve the subject that represents the identity of the current running thread. The identity of the current running thread is known as the RunAs identity. The RunAs subject typically contains a WSPrincipal in the principal set and a WSCredential in the public credential set. The subject instance that is created by your mapping module contains a Principal instance in the principals set and a PasswordCredential or GenericCredential instance in the set of private credentials.

Related tasks
Developing your own J2C principal mapping module



Searchable topic ID:   csecj2csecurity
Last updated: Jun 21, 2007 4:55:42 PM CDT    WebSphere Application Server Network Deployment, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/csec_j2csecurity.html

Library | Support | Terms of Use | Feedback