Before you begin
It is possible that you have applications installed prior to enabling the Java Authorization Contract for Containers (JACC)-based authorization. You can start with default authorization and then move to an external provider-based authorization using JACC later on. Also, during application install or modify you might have had problems propagating the security policy information to the JACC provider (for example, network problems, JACC provider not available etc). For these cases, the security policy of the previously installed applications does not exist in the JACC provider to make the access decisions. One choice is to reinstall the applications involved. However, you can avoid reinstalling by using the wsadmin scripting tool. This tool can be used to propagate information to the JACC provider independent of the application install process. The tool eliminates the need for reinstalling the applications.
The tool uses the SecurityAdmin MBean to propagate the policy information in the deployment descriptor of any installed application to the JACC provider. You can invoke this tool using wsadmin at the base application server for base and deployment manager level for Network Deployment. Note that the SecurityAdmin MBean is only available when the server is running.
Use propagatePolicyToJACCProvider(String appNames) to propagate the policy information in the deployment descriptor of the enterprise archive (EAR) files to the JACC provider. If the RoleConfigurationFactory and the RoleConfiguration interfaces are implemented by the JACC provider, the authorization table information in the binding file of the EAR files is also propagated to the provider. See Interfaces used to support JACC for more information about these interfaces.
The appNames contains the list of application names, delimited by a colon (:), whose policy information must be stored in the provider. If a null value is passed, the policy information of the deployed applications is propagated to the provider.
Steps for this task
// use the SecurityAdmin Mbean at the Deployment Manager or the unmanaged base application server
wsadmin -user serverID -password serverPWD
set secadm [lindex [$AdminControl queryNames type=SecurityAdmin,*] 0]
// to propagate specific applications security policy information
wsadmin>set appNames [list app1:app2]
// or to propagate all applications installed
wsadmin>set appNames [list null]
// Run the command to propagate
wsadmin>$AdminControl invoke $secadm propagatePolicyToJACCProvider $appNames
Related concepts
Authorization in WebSphere Application Server
Tivoli Access Manager integration as the JACC provider
JACC providers
JACC support in WebSphere Application Server
Related tasks
Configuring a JACC provider
Enabling an external JACC provider
Related reference
Interfaces used to support JACC
Troubleshooting authorization providers