Use this task to modify configurations to perform System
Authorization Facility (SAF) identity mapping.
About this task
A mapping module must be placed in the Java Authentication and Authorization Service
(JAAS) configuration to provide the mapping from a non-local operating
system registry to a SAF user ID. The com.ibm.ws.security.common.auth.module.MapPlatformSubject
login module follows this mapping module in the configuration. You
can do this using either the Simple WebSphere® Authentication
Mechanism (SWAM) or the Lightweight Third Party Authentication (LTPA)
authentication mechanism.
Refer to Selecting
an authentication mechanism for more information. Refer to
Java Authentication
and Authorization Service for more information.
Note: SWAM
is deprecated in WebSphere Application Server Version 8.5 and will be removed
in a future release.
Application login
configurations do not require changes to modify configurations to
perform SAF identity mapping. The WebSphere application
login configuration entry WSLogin, calls a system login module that
is configured as the default, which performs the mapping if SAF authorization
is required.
To modify configurations to perform System Authorization
Facility (SAF) identity mapping and if WebSphere Application Server is configured,
you must take the following steps.
What to do next
When LTPA is configured, if you are
mapping the WebSphere Application Server registry
to a SAF user ID, the following system login configuration entries
must be configured to provide the user mapping:
- WEB_INBOUND
- The WEB_INBOUND login configuration handles logins for web application
requests, including servlets and JavaServer pages (JSP). This login
configuration interacts with the output object that is generated from
a trust association interceptor (TAI) if configured. The Subject that
is passed into the WEB_INBOUND login configuration can contain objects
that are generated by the TAI.
WebSphere Application Server administrative
console requests and a subset of administrative functions, including
file transfer, authenticate using this login configuration entry.
- RMI_INBOUND
- The RMI_INBOUND login configuration handles logins for inbound
RMI requests. Typically, these logins are requests for authenticated
access to Enterprise JavaBeans (EJB)
files, and can be performed as Java Management
Extensions (JMX) requests when using the RMI connector.
- DEFAULT
- The DEFAULT login configuration handles the logins for inbound
requests made by most other protocols and internal authentications,
such as communication between a z/OS® controller
and servant processes after an initial authentication request is performed.
When SWAM is configured and you are mapping the
WebSphere Application Server user registry
to a SAF identity, configure the following system login configuration
entry to provide the user mapping:
Note: SWAM is
deprecated in WebSphere Application Server Version 8.5 and will be removed
in a future release.
- SWAM
- This entry is used for all authentication when SWAM is selected.