An authentication mechanism defines rules about security information, for example, whether a credential is forwardable to another Java process, and the format of how security information is stored in both credentials and tokens.
Authentication is the process of establishing whether a client is who or what it claims to be in a particular context. A client can be either an end user, a machine, or an application.
An authentication mechanism in WebSphere Application Server typically collaborates closely with a user registry. The user registry is the user and groups account repository that the authentication mechanism consults with when performing authentication. The authentication mechanism is responsible for creating a credential, which is an internal product representation of a successfully authenticated client user. Not all credentials are created equally. The abilities of the credential are determined by the configured authentication mechanism.
Authentication process
Web clients use the HTTP or HTTPS protocol to send the authentication information, as shown in the previous figure.
The authentication module uses the registry that is configured on the system to perform the authentication (4). Three types of registries are supported: Local OS, Lightweight Directory Access Protocol (LDAP), and custom registry. External registry implementation following the registry interface that is specified by IBM can replace either the Local OS or the LDAP user registry.
The login module creates a JAAS subject after authentication and stores the credential derived from the authentication data in the public credentials list of the subject. The credential is returned to the Web authenticator or to the enterprise beans authenticator (5).
The Web authenticator and the enterprise beans authenticator store the received credentials in the Object Request Broker (ORB) current for the authorization service to use in performing further access control checks. If the credentials are forwardable, they are sent to other application servers.