Customizing a server-side Java Authentication and Authorization Service authentication and login configuration

WebSphere® Application Server supports plugging in a custom Java™ Authentication and Authorization Service (JAAS) login module before or after the WebSphere Application Server system login module. However, WebSphere Application Server does not support the replacement of the WebSphere Application Server system login modules, which are used to create the WSCredential credential and WSPrincipal principal in the Subject. By using a custom login module, you can either make additional authentication decisions or add information to the Subject to make additional, potentially finer-grained, authorization decisions inside a Java Platform, Enterprise Edition (Java EE) application.

About this task

WebSphere Application Server enables you to propagate information downstream that is added to the Subject by a custom login module. For more information, see Security attribute propagation. To determine which login configuration to use for plugging in your custom login modules, see the descriptions of the login configurations that are located in the System login configuration entry settings for Java Authentication and Authorization Service.

WebSphere Application Server supports the modification of the system login configuration through the administrative console and by using the wsadmin scripting utility. To configure the system login configuration using the administrative console, click Security > Global security. Under Java Authentication and Authorization Service, click System logins.

Procedure

What to do next

The application name and the HttpServletRequest object might be read by the custom login module to perform mapping functions. The error page of the form-based login might be modified by a custom login module. In addition to the JAAS framework, WebSphere Application Server supports the trust association interface (TAI).

Other credential types and information can be added to the caller Subject during the authentication process using a custom login module. The third-party credentials in the caller Subject are managed by WebSphere Application Server as part of the security context. The caller Subject is bound to the running thread during the request processing. When a Web or an Enterprise JavaBeans™ (EJB) module is configured to use the caller identity, the user identity is propagated to the downstream service in an EJB request. The WSCredential credential and any third-party credentials in the caller Subject are not propagated downstream. Instead, some of the information can be regenerated at the target server based on the propagated identity. Add third-party credentials to the caller Subject at the authentication stage. The caller Subject, which is returned from the WSSubject.getCallerSubject method, is read-only and cannot be modified. For more information on the WSSubject subject, see Getting the caller subject from the thread for JAAS.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 10:04:34 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=tsec_custsvrsidejaas
File name: tsec_custsvrsidejaas.html