Before you begin
Java Authentication and Authorization Service (JAAS) represents the
strategic application programming interfaces (API) for authentication.
JAAS replaces the
CORBA programmatic login APIs
WebSphere Application Server provides
some extension to JAAS:
- Refer to the Developing applications that use CosNaming (CORBA Naming interface) article
for details on how to set up the environment for thin client applications
to access remote resources on a server.
- If the application uses a custom JAAS login configuration, verify that
the JAAS login configuration is properly defined. See Configuring application logins for Java Authentication and Authorization
Service for details.
- Some of the JAAS application programming interfaces (API) are protected
by Java 2 security permissions. If these APIs are used by application code,
verify that these permissions are added to the application was.policy file.
See Adding the was.policy file to applications, Using Policy Tool to edit policy files, and Configuring the was.policy file for
details. For more details on which APIs are protected by Java 2 security permissions,
check the IBM Developer Kit, Java Technology Edition; JAAS and WebSphere Application
Server public APIs documentation in Security: Resources for learning. Some of the APIs that are used in the sample code
in this documentation and the Java 2 security permissions that are required
by these APIs are presented in the following list:
- javax.security.auth.login.LoginContext constructors are protected by the
javax.security.auth.AuthPermission "createLoginContext" object.
- javax.security.auth.Subject.doAs and com.ibm.websphere.security.auth.WSSubject.doAs
methods are protected by the javax.security.auth.AuthPermission "doAs" object.
- javax.security.auth.Subject.doAsPrivileged and com.ibm.websphere.security.auth.WSSubject.doAsPrivileged
methods are protected by the javax.security.auth.AuthPermission "doAsPrivileged"
object.
- Enhanced model to Java 2 Platform, Enterprise Edition (J2EE) resources
for authorization checks. Due to a design oversight in JAAS Version 1.0,
the javax.security.auth.Subject.getSubject method does not return the Subject
that is associated with the running thread inside a java.security.AccessController.doPrivileged
code block. This oversight can present inconsistent behavior, which might
have unwanted effects. The com.ibm.websphere.security.auth.WSSubject class
provides a workaround to associate a Subject to a running thread. The com.ibm.websphere.security.auth.WSSubject
class extends the JAAS model to J2EE resources for authorization checks. If
the Subject associates with the running thread within the com.ibm.websphere.security.auth.WSSubject.doAs
method or if the com.ibm.websphere.security.auth.WSSubject.doAsPrivileged
code block contains product credentials, the Subject is used for J2EE resource
authorization checks.
- User interface support for defining new JAAS login configuration.
You can configure a JAAS login configuration in the administrative console
and store the JAAS login configuration in the WebSphere Common Configuration
Model. Applications can define a new JAAS login configuration in the administrative
console and the data is persisted in the configuration repository. However,
WebSphere Application Server still supports the default JAAS login configuration
format (plain text file) that is provided by the JAAS default implementation.
If duplicate login configurations are defined in both the WebSphere Common
Configuration model and the plain text file format, the one in the WebSphere
Common Configuration model takes precedence. Advantages to defining the login
configuration in the WebSphere Common Configuration model includes:
- UI support in defining JAAS login configuration
- Central management of the JAAS login configuration
- Distribution of the JAAS login configuration in a Network Deployment installation
- Application support for programmatic authentication. WebSphere
Application Server provides JAAS login configurations for applications to
perform programmatic authentication to the WebSphere security run time. These
configurations perform authentication to the WebSphere Application Server-configured
authentication mechanism (Simple WebSphere Authentication Mechanism (SWAM)
or Lightweight Third Party Authentication (LTPA)) and user registry (Local
OS, Lightweight Directory Access Protocol (LDAP) or Custom) based on the authentication
data that is supplied. The authenticated Subject from these JAAS login configurations
contains the required principal and credentials that the WebSphere security
run time can use to perform authorization checks on J2EE role-based protected
resources. Here are the JAAS login configurations that are provided by WebSphere
Application Server:
- WSLogin JAAS login configuration. A generic JAAS login configuration
can use Java clients, client container applications, servlets, JavaServer
Pages (JSP) files, and Enterprise JavaBeans (EJB) components to perform authentication
based on a user ID and password, or a token to the WebSphere security run
time. However, this configuration does not honor the CallbackHandler handler
that is specified in the client container deployment descriptor.
- ClientContainer JAAS login configuration. This JAAS login configuration
honors the CallbackHandler handler that is specified in the client container
deployment descriptor. The login module of this login configuration uses the
CallbackHandler handler in the client container deployment descriptor if one
is specified, even if the application code specified one callback handler
in the login context. This is for a client container application.
A Subject
authenticated with the previously mentioned JAAS login configurations contains
a com.ibm.websphere.security.auth.WSPrincipal principal and a com.ibm.websphere.security.cred.WSCredential
credential. If the authenticated Subject is passed in the com.ibm.websphere.security.auth.WSSubject.doAs
or the other doAs methods, the product security run time can perform authorization
checks on J2EE resources based on the com.ibm.websphere.security.cred.WSCredential
Subject.
- Customer-defined JAAS login configurations. You can define other
JAAS login configurations to perform programmatic authentication to your authentication
mechanism. See the Configuring application logins for Java Authentication and Authorization
Service for
details. For the product security run time to perform authorization checks,
the subjects from these customer-defined JAAS login configurations must contain
the required principal and credentials.
- Naming requirements
for programmatic login on a pure Java client. When programmatic login
occurs on a pure Java client and the property com.ibm.CORBA.validateBasicAuth equals true,
it is necessary for the security code to know where the SecurityServer resides.
Typically, the default InitialContext is sufficient when a java.naming.provider.url property
is set as a system property or when the property is set in the jndi.properties file.
In other cases it is not desirable to have the same java.naming.provider.url properties
set in a system wide scope. In this case, there is a need to specify security
specific bootstrap information in the sas.client.props file. The
following steps present the order of precedence for determining how to find
the SecurityServer in a pure Java client: