You
can implement a custom authentication provider using Java Authentication SPI for Containers
(JASPI, or sometimes called JASPIC) to handle the Java Platform, Enterprise Edition (Java EE) authentication of HTTP request and
response messages destined for web applications.
Before you begin
For JASPI authentication
processing to take place, application
security must be enabled in the global or domain security configuration
and the server must be restarted for the configuration changes to
take effect. Read the Application security topic for more information.
About this task
New feature: This
release of WebSphere
® Application
Server supports the JSR 196: Java Authentication
SPI for Containers (JASPI, or sometimes called JASPIC) specification,
which enables third-party security providers to handle the Java Platform, Enterprise Edition
(Java EE) authentication of
HTTP request and response messages destined for web applications.
The JASPI specification extends the pluggable authentication concepts
of the Java Authentication and
Authorization Service (JAAS) to the authentication of HTTP request
and response messages. When application security is enabled, and a
protected web resource is accessed, the web container and the security
runtime collaborate to make an authentication decision for the caller.
When using a third-party JASPI provider, the authentication decision
is delegated to that provider.
newfeat
The JASPI specification
defines standard system programming interfaces that enable developers
to write a pluggable custom authentication provider that can handle
Java EE web authentication
mechanisms as well as any extended authentication processing. The WebSphere Application Server
runtime uses these standard system programming interfaces to invoke
the JASPI authentication provider. Read the Servlet Container Profile
section in the JSR 196: Java Authentication
Service Provider Interface for Containers specification for the requirements
that third-party authentication providers must satisfy for more information.
If
application security is enabled with JASPI authentication, when the
web resource (such as a servlet or a JavaServer Pages (JSP) file)
is accessed, the security runtime checks if the web resource is mapped
to a JASPI provider defined in the security configuration. If so,
the runtime invokes the JASPI authentication provider to perform authentication
for the HTTP request and response messages.
To implement a custom
authentication provider using JASPI you must do the following:
Procedure
- Develop a custom JASPI authentication provider.
WebSphere Application
Server
provides support for the development of custom JASPI authentication
providers to be used to perform authentication for the HTTP request
and response messages destined for web applications. Read Developing a custom JASPI authentication provider for more information.
- Configure a new JASPI authentication provider.
WebSphere Application
Server
allows an administrator to enable JASPI authentication and to define
a third-party JASPI authentication provider as part of the global
or domain security configuration. Read Configuring a new JASPI authentication provider using the administrative console for more information.
- Associate a JASPI authentication provider with an
application
or specific web modules.
During application deployment,
the administrator or deployer can use the Map JASPI Provider option
to associate web applications and specific web modules with an existing
JASPI authentication provider as defined in the security configuration.
This association can also be made when editing the options for an
existing installed application. By default, an application inherits
the JASPI settings defined in the WebSphere Application
Server global or domain security configuration, and web modules inherit
the application setting. The Map JASPI Provider option can be used
to override these defaults. Read Enabling JASPI authentication using the Map JASPI provider option during application deployment for more information.