Tivoli Access Manager integration as the JACC provider

Tivoli Access Manager uses the Java Authorization Contract for Container (JACC) model in WebSphere Application Server to perform access checks.

Tivoli Access Manager consists of the following components:

Tivoli Access Manager run-time changes that are used to support JACC

For the run-time changes, Tivoli Access Manager implements the PolicyConfigurationFactory and the PolicyConfiguration interfaces, as required by JACC. During the application installation, the security policy information in the deployment descriptor and the authorization table information in the binding files are propagated to the Tivoli provider using these interfaces. The Tivoli provider stores the policy and the authorization table information in the Tivoli Access Manager policy server by calling the respective Tivoli Access Manager application programming interfaces (API).

Tivoli Access Manager also implements the RoleConfigurationFactory and the RoleConfiguration interfaces. These interfaces are used to ensure that the authorization table information is passed to the provider with the policy information. See Interfaces that support JACC for more information about these interfaces.

Tivoli Access Manager client configuration

To configure the Tivoli Access Manager client, you can use either the administrative console or wsadmin scripting. You can access the administrative console panels for the Tivoli Access Manager client configuration by clicking Security > Global security. Under Authorization, click Authorization providers. Under Related Items, click External JACC provider. The Tivoli client must be set up to use the Tivoli Access Manager JACC Provider.

For more information about how to configure the Tivoli Access Manager client, see Tivoli Access Manager JACC provider configuration.

Authorization table support

Tivoli Access Manager uses the RoleConfiguration interface to ensure that the authorization table information is passed to the Tivoli Access Manager provider when the application is installed or deployed. When an application is deployed or edited, the set of users and groups for the user or group-to-role mapping are obtained from the Tivoli Access Manager server, which shares the same Lightweight Directory Access Protocol (LDAP) server as WebSphere Application Server. This sharing is accomplished by plugging into the application management users or groups-to-role administrative console panels. The management APIs are called to obtain users and groups rather than relying on the WebSphere Application Server-configured LDAP registry.

Access check

When WebSphere Application Server is configured to use the JACC provider for Tivoli Access Manager , it passes the information to Tivoli Access Manager to make the access decision. The Tivoli Access Manager policy implementation queries the local replica of the access control list (ACL) database for the access decision.

Authentication using the PDLoginModule module

The custom login module in WebSphere Application Server can do the authentication. This login module is plugged in before the WebSphere Application Server-provided login modules. The custom login modules can provide information that can be stored in the Subject. If the required information is stored, no additional registry calls are made to obtain that information.

As part of the JACC integration, the Tivoli Access Manager-provided PDLoginModule module is also used to plug into WebSphere Application Server for both Lightweight Third Party Authentication (LTPA) and Simple WebSphere Authentication Mechanism (SWAM) authentication. The PDLoginModule module is modified to authenticate with the user ID or password. The module is also used to fill in the required attributes in the Subject so that no registry calls are made by the login modules in WebSphere Application Server. The information that is placed in the Subject is available for the Tivoli Access Manager policy object to use for access checking.

Interfaces that support JACC

WebSphere Application Server provides the RoleConfigurationFactory and the RoleConfiguration interfaces, which are similar to PolicyConfigurationFactory and PolicyConfiguration interfaces so the information that is stored in the bindings file can be propagated to the provider during installation. The implementation of these interfaces is optional.

RoleConfiguration interface

Use the RoleConfiguration interface to propagate the authorization information to the provider. This interface is similar to the PolicyConfiguration interface that is found in Java Authorization Contact for Containers (JACC).
RoleConfiguration
    		- com.ibm.wsspi.security.authorization.RoleConfiguration
	
/**
 * This interface is used to propagate the authorization table information
 * in the binding file during application installation. Implementation of this interface is
 * optional. When a JACC provider implements this interface during an application, both
 * the policy and the authorization table information are propagated to the provider.
* If this is not implemented, only the policy information is propagated as per  
 * the JACC specification.
 * @ibm-spi
 * @ibm-support-class-A1
 */


public interface RoleConfiguration

/**
 * Add the users to the role in RoleConfiguration. 
 * The role is created, if it does not exist in RoleConfiguration. 
 * @param role the role name.
 * @param users the list of the user names.
 * @exception RoleConfigurationException if the users cannot be added.
 */
 public void addUsersToRole(String role, List users)
 throws RoleConfigurationException

/**
 * Remove the users to the role in RoleConfiguration. 
 * @param role the role name.
 * @param users the list of the user names.
 * @exception RoleConfigurationException if the users cannot be removed.
 */
 public void removeUsersFromRole(String role, List users)
 throws RoleConfigurationException 


/**
 * Add the groups to the role in RoleConfiguration. 
 * The role is created if it does not exist in RoleConfiguration. 
 * @param role the role name.
 * @param groups the list of the group names.
 * @exception RoleConfigurationException if the groups cannot be added.
 */
 public void addGroupsToRole(String role, List groups)
 throws RoleConfigurationException 

/**
 * Remove the groups to the role in RoleConfiguration. 
 * @param role the role name.
 * @param groups the list of the group names.
 * @exception RoleConfigurationException if the groups cannot be removed.
 */
 public void removeGroupsFromRole( String role, List groups)
 throws RoleConfigurationException 


/**
 * Add the everyone to the role in RoleConfiguration. 
 * The role is created if it does not exist in RoleConfiguration. 
 * @param role the role name.
 * @exception RoleConfigurationException if the everyone cannot be added.
 */ 
 public void addEveryoneToRole(String role)
 throws RoleConfigurationException 

/**
 * Remove the everyone to the role in RoleConfiguration. 
 * @param role the role name.
 * @exception RoleConfigurationException if the everyone cannot be removed.
 */
 public void removeEveryoneFromRole( String role)
 throws RoleConfigurationException 

/**
 * Add the all authenticated users to the role in RoleConfiguration. 
 * The role is created if it does not exist in RoleConfiguration. 
 * @param role the role name.
 * @exception RoleConfigurationException if the authentication users cannot 
 *  be added.
 */
 public void addAuthenticatedUsersToRole(String role)
 throws RoleConfigurationException 

/**
 * Remove the all authenticated users to the role in RoleConfiguration. 
 * @param role the role name.
 * @exception RoleConfigurationException if the authentication users cannot
 * be removed.
 */
 public void removeAuthenticatedUsersFromRole( String role)
 throws RoleConfigurationException

/**
 * This commits the changes in Roleconfiguration. 
 * @exception RoleConfigurationException if the changes cannot be 
 * committed.
 */	 
 public void commit( )
 throws RoleConfigurationException 

/**
 * This deletes the RoleConfiguration from the RoleConfiguration Factory. 
 * @exception RoleConfigurationException if the RoleConfiguration cannot
 * be deleted.
 */	
 public void delete( )
 throws RoleConfigurationException 

/**
 * This returns the contextID of the RoleConfiguration.
 * @exception RoleConfigurationException if the contextID cannot be 
 * obtained.
 */	
 public String getContextID( )
 throws RoleConfigurationException 

RoleConfigurationFactory interface

The RoleConfigurationFactory interface is similar to the PolicyConfigurationFactory interface that is introduced by JACC, and is used to obtain RoleConfiguration objects based on the contextID IDs.
RoleConfigurationFactory
 - com.ibm.wsspi.security.authorization.RoleConfigurationFactory

/**
 * This interface is used to instantiate the com.ibm.wsspi.security.authorization.RoleConfiguration
 * objects based on the context identifier similar to the policy context identifier.
 * Implementation of this interface is required only if the RoleConfiguration interface is implemented. 
 *
 * @ibm-spi
 * @ibm-support-class-A1
 */

public interface RoleConfigurationFactory 
/**
 * This gets a RoleConfiguration with contextID from the
 * RoleConfigurationfactory. If the RoleConfiguration does not exist 
 * for the contextID in the RoleConfigurationFactory, a new 
 * RoleConfiguration with contextID is created in the
 * RoleConfigurationFactory. The contextID is similar to
 * PolicyContextID, but it does not contain the module name. 
 * If remove is true, the old RoleConfiguration is removed and a new 
 * RoleConfiguration is created, and returns with the contextID.
 * @return the RoleConfiguration object for this contextID
 * @param contextID the context ID of RoleConfiguration
 * @param remove true or false
 * @exception RoleConfigurationException if RoleConfiguration 
 * cannot be obtained.
 **/
public abstract com.ibm.ws.security.policy.RoleConfiguration
       		getRoleConfiguration(String contextID, boolean remove)
			   throws RoleConfigurationException

InitializeJACCProvider provider

When implemented by the provider, this interface is called by every process where the JACC provider can be used for authorization. All additional properties that are entered during the authorization check are passed to the provider. For example, the provider can use this information to initialize client code to communicate with their server or repository. The cleanup method is called during server shutdown to clean up the configuration.

Declaration

public interface InitializeJACCProvider

Description

This interface has two methods. The JACC provider can implement the interface, and WebSphere Application Server calls it to initialize the JACC provider. The name of the implementation class is obtained from the value of the initializeJACCProviderClassName system property.

This class must reside in a Java archive (JAR) file on the class path of each server that uses this provider.
InitializeJACCProvider
			- com.ibm.wsspi.security.authorization.InitializeJACCProvider

		/**
		 * Initializes the JACC provider
      * @return 0 for success.
		 * @param props the custom properties that are included for this provider will
		 * pass to the implementation class.
		 * @exception Exception for any problems encountered.
		 **/
		public int initialize(java.util.Properties props)
		throws Exception

		/**
		 * This method is for the JACC provider cleanup and will be called during a process stop.
		 **/
		public void cleanup()



Related concepts
Authorization providers
JACC providers
JACC support in WebSphere Application Server
Tivoli Access Manager integration as the JACC provider
Authorization providers
Related tasks
Enabling an external JACC provider
Authorizing access to J2EE resources using Tivoli Access Manager
Propagating security policy of installed applications to a JACC provider using wsadmin scripting
Enabling an external JACC provider
Related reference
Interfaces that support JACC
Security authorization provider troubleshooting tips
Related information
IBM Tivoli Access Manager for e-business information center
Concept topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 6:22:59 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-express-dist&topic=csec_jaccintegrate
File name: csec_jaccintegrate.html