WebSphere Application Server Network Deployment, Version 6.1
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results

External authorization provider settings

Use this page to enable a Java Authorization Contract for Containers (JACC) provider for authorization decisions.

To view this administrative console page, complete the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Click External authorization providers.

The application server provides a default authorization engine that performs all of the authorization decisions. In addition, the application server also supports an external authorization provider using the JACC specification to replace the default authorization engine for Java 2 Platform, Enterprise Edition (J2EE) applications.

JACC is part of the J2EE specification, which enables third-party security providers such as Tivoli Access Manager to plug into the application server and make authorization decisions.

Important: Unless you have an external JACC provider or want to use a JACC provider for Tivoli Access Manager that can handle J2EE authorizations based on JACC, and it is configured and set up to use with the application server, do not enable External authorization using a JACC provider.
System Authorization Facility (SAF) authorization [z/OS]

Use this option to specify that SAF EJBROLE profiles are used for user-to-role authorization for both Java 2 Platform, Enterprise Edition (J2EE) applications and the role-based authorization requests (naming and administration) that are associated with application server runtime. This option is available when your environment contains z/OS nodes only.

Important: When you select this option, WebSphere Application Server uses the authorization policy that is stored in the z/OS security product for authorization.
If a Lightweight Access Directory Protocol (LDAP) registry or Custom registry is configured and SAF authorization is specified, a mapping to a z/OS principal is required at each login for any protected methods to run:
  • If the authentication mechanism is Lightweight Third Party Authentication (LTPA), it is recommended that you update all of the following configuration entries to include a mapping to a valid z/OS principal (such as WEB_INBOUND, RMI_INBOUND, and DEFAULT).
  • If the authentication mechanism is Simple WebSphere Authentication Mechanism (SWAM), you must update the SWAM configuration entry to include a mapping to a valid z/OS principal.
    Note: SWAM is deprecated and will be removed in a future release.

You can enable several SAF authorization properties by clicking z/OS SAF authorization under Related items. You can add a value for the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property. Set this property to turn ICH408I messages on or off. The default value for this property is false, which does not suppress messages. You can set this value to true to suppress the ICH408I messages.

This property affects access violation message generation for both application-defined roles and for the application server runtime roles for the naming and administrative subsystems. System Management Facility (SMF) records are unaffected by this property. EJBROLE profile checks are done for both declarative (deployment descriptors) and programmatic checks:
  • Declarative checks are coded as security constraints in Web applications, and deployment descriptors are coded as security constraints in enterprise beans. This property is not used to control messages in this case. Instead, a set of roles is permitted, and if an access violation occurs an ICH408I access violation message indicates a failure for one of the roles. SMF then logs a single access violation (for that role).
  • Program logic checks (or access checks) are performed using the programmatic isCallerinRole(x) for enterprise bean or isUserInRole(x) for Web applications. The com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property controls the messages that are generated by this call.
External JACC provider

Use this link to configure the application server to use an external JACC provider. For example, to configure an external JACC provider, the policy class name and the policy configuration factory class name are required by the JACC specification.

The default settings that are contained in this link are used by Tivoli Access Manager for authorization decisions. If you intend to use another provider, modify the settings as appropriate.

Configuration tab

Default authorization

Use this option all the time unless you want an external security provider such as the Tivoli Access Manager to perform the authorization decision for J2EE applications that are based on the JACC specification.

Default: Enabled



Related tasks
Using the default authorization provider
Related reference
External Java Authorization Contract for Containers provider settings
[z/OS] z/OS System Authorization Facility authorization
Reference topic    

Terms of Use | Feedback

Last updated: Feb 25, 2009 9:32:38 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/usec_jaccprovider.html