By default, when WebSphere® Application Server
makes an outbound request from one server to another server in a different
security realm, the request is rejected. This topic details alternatives
for enabling one server to send outbound requests to a target server
in a different realm.
About this task
This outbound request is rejected to protect against a rogue
server reading potentially sensitive information if successfully impersonating
the home of the object. Select one of the following alternative procedures
so that one server can send outbound requests to a target server in
a different realm. When you are finished with a procedure on the administrative
console, click Apply.
Procedure
- Do not perform mapping. Instead, allow the existing security
information to flow to a trusted target server, even if the target
server resides in a different realm. Complete the following
steps in the administrative console:
- Click Security > Global security.
- Under RMI/IIOP security, click CSIv2 outbound authentication.
- Specify the target realms in the Trusted target realms field.
You can specify each trusted target realm that is separated by a pipe
(|) character. For example, specify server_name.domain:port_number for
a Lightweight Directory Access Protocol (LDAP) server or the machine
name for local operating system. If you want to propagate security
attributes to a different target realm, you must specify that target
realm in the Trusted target realms field.
- Use the Java Authentication and Authorization
Service (JAAS) WSLogin application login configuration to create a
basic authentication Subject that contains the credentials of the
new target realm. This configuration enables you to log
in with a realm, user ID, and password that are specific to the user
registry of the target realm. You can provide the login information
from within the Java Platform, Enterprise Edition
(Java EE) application that is making the outbound
request or from within the RMI_OUTBOUND system login configuration.
These two login options are described in the following information:
- Use the WSLogin application login configuration from
within the Java EE application to log in and
get a Subject that contains the user ID and the password of the target
realm. The application can wrap the remote call with a
WSSubject.doAs call. For an example, see Example: Using the WSLogin configuration to create a basic authentication subject.
- Use the code sample in Example: Using the WSLogin configuration to create a basic authentication subject from this
plug point within the RMI_OUTBOUND login configuration. Every
outbound Remote Method Invocation (RMI) request passes through this
login configuration when it is enabled. Complete the following steps
to enable and plug in this login configuration:
- Click Security > Global security.
- Under RMI/IIOP security, click CSIv2 outbound authentication.
- Select the Custom outbound mapping option. If the Security
Attribute Propagation option is selected, then WebSphere Application
Server is already using this login configuration and you do not need
to enable custom outbound mapping.
- Write a custom login module. For more information, see Developing custom login modules for a system login configuration for JAAS.
The Example: Sample login configuration for RMI_OUTBOUND shows a custom
login module that determines whether the realm names match. In this
example, the realm names do not match so the WSLoginmodule is used
to create a basic authentication Subject based on custom mapping rules.
The custom mapping rules are specific to the customer environment
and must be implemented using a realm to user ID and password mapping
utility.
- Configure the RMI_OUTBOUND login configuration so that your new
custom login module is first in the list.
- Click Security > Global security.
- Under Java Authentication and Authorization
Service, click System logins > RMI_OUTBOUND
- Under Additional Properties, click JAAS login modules >
New to add your login module to the RMI_OUTBOUND configuration.
- Return to the JAAS login modules panel for RMI_OUTBOUND.
- Click Set order to change the order that the login modules
are loaded so that your custom login is loaded first.
- Add the use_realm_callback and use_appcontext_callback
options to the outbound mapping module for WSLogin. When
using the WSLogin JAAS configurations, you must set the use_realm_callback
option in the wsjaas_client.config file in $WAS_HOME/profiles/$ProfileName/properties
for the realm name to be passed to the call back handler. If you want
to specify a different provider URL for the name server, set the use_appcontext_callback
option and pass in the provider URL properties in a hash map to WSLogin.
To
add these options, complete the following steps:
- Click Security > Global security.
- Under Java Authentication
and Authorization Service, click Application logins > WSLogin.
- Under Additional properties, click JAAS login modules >
com.ibm.ws.security.common.auth.module.WSLoginModuleImpl.
- Under Additional properties, click Custom Properties >
New.
- On the Custom properties panel, enter use_realm_callback in
the Name field and true in the Value field.
- Click OK.
- Click New to enter the second custom property.
- On the Custom properties panel, enter use_appcontext_callback in
the Name field and true in the Value field.
The following changes are made to the security.xml file:<entries xmi:id="JAASConfigurationEntry_2" alias="WSLogin">
<loginModules xmi:id="JAASLoginModule_2"
moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy"
authenticationStrategy="REQUIRED">
<options xmi:id="Property_2" name="delegate"
value="com.ibm.ws.security.common.auth.module.WSLoginModuleImpl"/>
<options xmi:id="Property_3" name="use_realm_callback" value="true"/>
<options xmi:id="Property_4" name="use_appcontext_callback" value="true"/>
</loginModules>
</entries>