WebSphere Application Server supports the Java 2 Platform, Enterprise Edition (J2EE) declarative security model. You can define the authentication and access control policy using the J2EE deployment descriptor. You can further stack custom login modules to customize the WebSphere Application Server authentication mechanism. A custom login module can perform principal and credential mapping, custom security token and custom credential-processing, and error-handling among other possibilities. Typically, you do not need to use application code to perform authentication function. Use the programming techniques that are described in this section if you have to perform authentication function in application code. For example, if you have applications that programmed to the SSOAuthenticator helper function, you can use the following programming interface. The SSOAuthenticator helper function was deprecated starting with WebSphere Application Server Version 4.0. Use declarative security as a rule; use the techniques that are described in this section as a last resort.
When the Lightweight Third-Party Authentication (LTPA) mechanism single signon (SSO) option is enabled, the Web client login session is tracked by an LTPA SSO token cookie after successful login. At logout, this token is deleted to terminate the login session, but the server-side subject is not deleted. When you use the declarative security model, the WebSphere Application Server Web container performs client authentication and login session management automatically. You can perform authentication in application code by setting a login page without a J2EE security constraint and by directing client requests to your login page first. Your login page can use the Java Authentication and Authorization Service (JAAS) programming model to perform authentication. To enable WebSphere Application Server Web login modules to generate SSO cookies, follow these steps:
Suppose you wrote a LoginServlet.java: Import com.ibm.wsspi.security.auth.callback.WSCallbackHandlerFactory; Import com.ibm.websphere.security.auth.WSSubject; public Object login(HttpServletRequest req, HttpServletResponse res) throws ServletException { PrintWriter out = null; try { out = res.getWriter(); res.setContentType("text/html"); } catch (java.io.IOException e){ // Error handling } Subject subject = null; try { LoginContext lc = new LoginContext("system.Your_login_configuration", WSCallbackHandlerFactory.getInstance().getCallbackHandler( userid, null, password, req, res, null)); lc.login(); subject = lc.getSubject(); WSSubject.setRunAsSubject(subject); } catch(Exception e) { // catch all possible exceptions if you want or handle them separately out.println("Exception in LoginContext login + Exception = " + e.getMessage()); throw new ServletException(e.getMessage()); } The following is sample code to revoke the SSO cookies upon a programming logout: The LogoutServlet.java: public void logout(HttpServletRequest req, HttpServletResponse res, Object retCreds) throws ServletException { PrintWriter out =null; try { out = res.getWriter(); res.setContentType("text/html"); } catch (java.io.IOException e){ // Error Handling } try { WSSecurityHelper.revokeSSOCookies(req, res); } catch(Exception e) { // catch all possible exceptions if you want or handle them separately out.println("JAASLogoutServlet: logout Exception = " + e.getMessage()); throw new ServletException(e); } }
For more information on JAAS authentication, refer to Developing programmatic logins with the Java Authentication and Authorization Service. For more information on the AuthenLoginModule login module, refer to Example: Customizing a server-side Java Authentication and Authorization Service authentication and login configuration.
Related concepts
Programmatic login
Related tasks
Developing programmatic logins with the Java Authentication and Authorization
Service
Related reference
Example: Customizing a server-side Java Authentication and Authorization
Service authentication and login configuration