This package contains the interfaces for adding plug-ins to the ObjectGrid security framework and assoicated Exception classes.
The plug-ins in this package are used for authentication and authorization. Below is a brief summary of these plug-ins.
com.ibm.websphere.objectgrid.security.plug-ins.Credential
plug-in
represents a client credential. It is passed from the clien to server for
authentication. It could be a user password pair, a kerberos ticket, etc.
com.ibm.websphere.objectgrid.security.plug-ins.CredentialGenerator
plug-in
is used to get a Credential representing this client. It is a factory for the Credential
object.
com.ibm.websphere.objectgrid.security.plug-ins.Authenticator
plug-in is used for an ObjectGrid client to authenticate to an ObjectGrid server.
com.ibm.websphere.objectgrid.security.plug-ins.SubjectSource
plug-in
is used to get a Subject instance representing the ObjectGrid client. This plug-in
is used when ObjectGrid security is on. The method getSubject
is
called by ObjectGrid runtime when ObjectGrid.getSession() method is
used to get a session. This plug-in is normally used for a local ObjectGrid and
provides a mechanism to plug in application server-specific way to retrieve a
Subject object from the environment.
com.ibm.websphere.objectgrid.security.plug-ins.SubjectValidation
plug-in
is used to validate a Subject object passed to the ObjectGrid. A typical scenario
where this plug-in can be used usually have the following
characteristics:
The last bullet is usually the most difficult to satisify. This will require the support from the originator of the Subject object.
For example, when a ObjectGrid client is running in WebSphere Application Server (WAS) Extended Deployment (XD) which also hosts the ObjectGrid server. The client can retrieve the runAs Subject and then pass it to the ObjectGrid instance. The ObjectGrid Server will then invoke the SubjectValidation mechanism, which uses WAS-specific APIs to validate the Subject object has not been tampered with.
com.ibm.websphere.objectgrid.security.plug-ins.MapAuthorization
plug-in
is used to check whether the user represented by the Subject object has
a speicfied ObjectMapPermission. Users can implement this interface to plug
in their own authorization mechanism. For example, users can plug in their
authorization mechanism, which uses
Tivoli Access Manager Authorization Server .
Starting from WebSphere XD 6.1, MapAuthorization
has been deprecated.
Users can use ObjectGridAuthorization
to authorize map accesses.
com.ibm.websphere.objectgrid.security.plug-ins.AdminAuthorization
plug-in
can be used to authorize management operations to the principals contained in
the Subject object. The permissions for the management operations are represented
by AdminPermission
objects.
com.ibm.websphere.objectgrid.security.plug-ins.ObjectGridAuthorization
plug-in
can be used to authorize ObjectGrid
, ObjectMap
and
JavaMap
accesses to the Principal
s represented
by a Subject
object. All access and operations to ObjectGrid can be
authorized using this plug-in.
For details about how to use these plug-ins, please refer to individual JavaDoc and ObjectGrid programming guide.