Before you begin
Java Authentication and Authorization Service (JAAS) is a new feature
in WebSphere Application Server Version 5. Java Authentication and Authorization
Service represents the strategic application programming interfaces (API)
for authentication. WebSphere
Application Server provides some extension to JAAS:
- Refer to the Developing applications that use CosNaming (CORBA Naming interface) article for details on how to set up
the environment for thin client applications to access remote resources on
a server.
- If the application uses custom JAAS login configuration, verify that it
is properly defined. See the Configuring application logins for Java Authentication and Authorization Service article for details.
- Some of the JAAS APIs are protected by Java 2 Security permissions. If
these APIs are used by application code, verify that these permissions are
added to the application was.policy file. See Adding the was.policy file to applications, Using PolicyTool to edit policy files and Configuring the was.policy file articles for details. For more
details on which APIs are protected by Java 2 Security permissions, check
the IBM Application Developer Kit, Java Technology Edition; JAAS and WebSphere
Application Server public APIs Javadoc in Security: Resources for learning. Some of the APIs used in the
sample code in this documentation and the Java 2 Security permissions required
by these APIs follow:
- javax.security.auth.login.LoginContext constructors are protected by
javax.security.auth.AuthPermission "createLoginContext"
- javax.security.auth.Subject.doAs() and com.ibm.websphere.security.auth.WSSubject.doAs()
are protected by javax.security.auth.AuthPermission "doAs"
- javax.security.auth.Subject.doAsPrivileged() and com.ibm.websphere.security.auth.WSSubject.doAsPrivileged()
are protected by javax.security.auth.AuthPermission "doAsPrivileged"
- Enhanced model to J2EE resources for authorization checks. Due
to a design oversight in JAAS Version 1.0, the javax.security.auth.Subject.getSubject() method
does not return the Subject associated with the thread of execution inside
a java.security.AccessController.doPrivileged() code block. This
can present an inconsistent behavior, which might have undesirable effects.
The com.ibm.websphere.security.auth.WSSubject provides a workaround
to associate a Subject to a thread of execution. The com.ibm.websphere.security.auth.WSSubject extends
the JAAS model to J2EE resources for authorization checks. If the Subject
associates with the thread of execution within the com.ibm.websphere.security.auth.WSSubject.doAs() method
or if the com.ibm.websphere.security.auth.WSSubject.doAsPrivileged() code
block contains product credentials, the Subject is used for J2EE resources
authorization checks.
- User Interface support for defining new JAAS login configuration.
You can configure JAAS login configuration in the administrative console and
store it in the WebSphere Common Configuration Model. Applications can define
a new JAAS login configuration in the administrative console and the data
is persisted in the configuration repository (stored in the WebSphere Common
Configuration Model). However, WebSphere Application Server still supports
the default JAAS login configuration format (plain text file) provided by
the JAAS default implementation. If there are duplication login configurations
defined in both the WebSphere Common Configuration and the plain text file
format, the one in the WebSphere Common Configuration takes precedence. There
are advantages to defining the login configuration in the WebSphere Common
Configuration:
- UI support in defining JAAS login configuration
- JAAS configuration login configuration can be managed centrally
- JAAS configuration login configuration is distributed in a Network Deployment
installation
- Application support for programmatic authentication. WebSphere
Application Server provides JAAS login configurations for applications to
perform programmatic authentication to the WebSphere security run time. These
configurations perform authentication to the WebSphere-configured authentication
mechanism (Simple WebSphere Authentication Mechanism (SWAM) or Lightweight
Third Party Authentication (LTPA)) and user registry (Local OS, Lightweight
Directory Access Protocol (LDAP) or Custom) based on the authentication data
supplied. The authenticated Subject from these JAAS login configurations contains
the required Principal and Credentials that the WebSphere security run time
can use to perform authorization checks on J2EE role-based protected resources.
Here are the JAAS login configurations provided by the WebSphere Application
Server:
- WSLogin JAAS login configuration. A generic JAAS login configuration
can use Java clients, client container applications, servlets, JSP files,
and EJB components to perform authentication based on a user ID and password,
or a token to the WebSphere security run time. However, this does not honor
the CallbackHandler specified in the client container deployment descriptor.
- ClientContainer JAAS login configuration. This JAAS login configuration
honors the CallbackHandler specified in the client container deployment descriptor.
The login module of this login configuration uses the CallbackHandler in the
client container deployment descriptor if one is specified, even if the application
code specified one CallbackHandler in the LoginContext. This is for a client
container application.
A Subject authenticated with the previously mentioned
JAAS login configurations contains a com.ibm.websphere.security.auth.WSPrincipal principal
and a com.ibm.websphere.security.cred.WSCredential credential. If
the authenticated Subject is passed in com.ibm.websphere.security.auth.WSSubject.doAs() or
the other doAs() methods, the product security run time can perform authorization
checks on J2EE resources based on the Subject com.ibm.websphere.security.cred.WSCredential .
- Customer-defined JAAS login configurations.
You can define other
JAAS login configurations to perform programmatic login which creates a custom
Subject in either the client or server process. Certain credentials and principals
are required in the Subject for the product security runtime to use it for
sending authentication information over a protocol from the client or handling
authorization on the server. The required credentials are generated from
provided login modules.
The login module needed for a pure Java client
login is as follows:
- com.ibm.ws.security.common.auth.module.WSLoginModuleImpl required;
In addition to using this login module, the callback handler used must
be able to handle the following callback classes.
- javax.security.auth.callback.NameCallback
- javax.security.auth.callback.PasswordCallback
A username and password must be specified in the callback handler.
Custom classes that are added to the Subject on the client side should get
propagated to the server automatically whenever security attribute propagation
is enabled. For information about enabling propagation for a pure Java client,
see the corresponding step in Enabling security attribute propagation. Note: The
classes added to the Subject must be Java serializable and de-serializable
for this to occur properly.
The login modules needed for a server
login are as follows:
- com.ibm.ws.security.server.lm.ltpaLoginModule required;
- com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule required;
For information about the callbacks used for a server-side login configuration,
see Example: Customizing a server-side Java Authentication and Authorization
Service authentication and login configuration.