Configuring WebSphere Studio to use Tivoli Access Manager and JAAS

This article shows you how to configure WebSphere Studio so you can use Java Authentication and Authorization Service (JAAS) and Tivoli Access Manager to authenticate distributed code.

Introduction

IBM ® Tivoli® Access Manager for e-business (hereafter called Access Manager) is an enterprise-wide security solution. It provides end-to-end security including single-sign-on, distributed Web-based administration, and policy-based security. It also provides an out-of-the-box implementation of the JavaTM Authentication and Authorization Service (JAAS) API, which is now the standard J2EE security API. Java developers can code to the standard JAAS API, and still harness the power of Access Manager's central security repository.

This article shows you how to set up the Websphere Studio development environment to use Access Manager's implementation of JAAS. The same instructions apply to any Java runtime, such as WebSphere® Application Server. The article includes sample code to illustrate simple authorization calls from custom Java code to Access Manager via JAAS.


Assumptions and pre-configuration

  • This article assumes Websphere Studio is installed in the directory C:\WSAD. If it's installed in a different directory, you will need to make changes to the given paths.
  • This article assumes you have a properly installed and configured Access Manager server. It could be on the same machine as WebSphere Studio, or on a separate server. If it's already installed on the same machine, you can skip Step 2, but ensure that you've installed the Java runtime.
  • Step 8 is optional and assumes that you have already installed and configured an Access Manager WebSEAL server. If you have not, just skip this step -- you will still be able to do authentication and authorization using Access Manager via JAAS, only without the Web single-sign-on that WebSEAL provides.

Product versions used

  • Websphere Studio Application Developer Version 4.01
  • Tivoli Access Manager Version 3.9

These instructions should work for any version of Tivoli Access Manager, and any WebSphere Studio test server that is based on WebSphere Application Server 4.x.


1. Choose JRE to configure

You must choose a particular Java runtime environment (JRE) to use JAAS and connect to an Access Manager server. This article assumes you will be configuring the Websphere Studio test server. However, you can follow the same steps for any JRE -- simply substitute the path for that JRE.

The Websphere Studio test server's JRE is located at the following path: C:\WSAD\plugins\com.ibm.etools.server.jdk\jre


2. Install Access Manager runtime and Java runtime

From the Tivoli Access Manager CD, install the IBM SecureWay Directory 3.2.2 client. Be sure to install the client only, unless you plan to run an LDAP server on your development machine for some other purpose. Install to C:\IBM\LDAP

Also from the Tivoli Access Manager CD, install the Access Manager runtime and Java runtime components. Install to C:\IBM\Tivoli\PolicyDirector


3. Customize and run configuration batch file

Modify the file C:\IBM\Tivoli\PolicyDirector\PD\sbin\pdjrtecfg.bat by adding the section in bold:

. . . 
"C:\WSAD\plugins\com.ibm.etools.server.jdk\jre\bin\java" 
   -Djava.ext.dirs -Dpd.home="%PD_HOME%" 
      -cp "%PDJ_CLASSPATH%" com.tivoli.pd.jcfg.PDJrteCfg %1 %2 %3 %4 %5 %6 %7 %8 %9

Save this file in the sbin directory as pdjrtecfg.wsad.bat

From a command prompt, switch to the sbin directory and run the following command:

pdjrtecfg.wsad.bat -action config -java_home C:\WSAD\plugins\com.ibm.etools.server.jdk\jre

If this batch command succeeds, you will get either no response, or a message saying that the PolicyDirector directory was created. This command should also copy the PD.jar and jaas.jar files into the C:\WSAD\plugins\com.ibm.etools.server.jdk\jre\lib\ext directory. So you can now add them to the build paths of any WebSphere Studio projects that reference JAAS or Access Manager classes -- use the SERVER_JDK classpath variable and drill down.


4. Run the Java SvrSslCfg configuration program

From a command prompt, run the following command (all on one line):

"C:\WSAD\plugins\com.ibm.etools.server.jdk\jre\bin\java" 
  com.tivoli.mts.SvrSslCfg pdwsad 
    sec_master password  policy-server hostname  authorization-server hostname  7135 7136

where:

  • sec_master password is the password of the Access Manager admin user, sec_master.
  • policy-server hostname is the hostname where the Access Manager policy server is installed (your local machine's hostname if installed locally as in Step 2.)
  • policy-server hostname is the hostname where the Access Manager authorization server is installed (your local machine's hostname if installed locally as in Step 2.)
  • pdwsad is the name of the new server node that will be defined within Access Manager (you can choose a different name if you like).
  • 7135 and 7136 are the ports of the Access Manager policy and authorization servers, respectively -- replace these if your server doesn't use the default ports.

If this command succeeds, you should get no response.


5. Modify java.security file

Open the java.security file for the WebSphere Studio test server:

C:\WSAD\plugins\com.ibm.etools.server.jdk\jre\lib\security\java.security

Add the following lines at the bottom:

# JAAS login configuration file location 
login.config.url.1=file:${java.home}/lib/security/config.pd 
 
# JAAS authorization policy file location 
auth.policy.url.1=file:${java.home}/lib/security/jaas.policy

6. Modify java.policy file

Add the following lines to the java.policy file in the C:\WSAD\plugins\com.ibm.etools.server.jdk\jre\lib\security directory:

// for JAAS and TAM we must grant the following permissions: 
grant { 
  permission javax.security.auth.AuthPermission "createLoginContext"; 
  permission javax.security.auth.AuthPermission "doAs"; 
  permission javax.security.auth.AuthPermission "doAsPrivileged"; 
  permission javax.security.auth.AuthPermission "modifyPrincipals"; 
  permission javax.security.auth.AuthPermission "getSubject"; 
  permission javax.security.auth.AuthPermission "createPDPrincipal"; 
 
  permission com.tivoli.mts.PDPermission "ignoreme","a"; 
};

7. Add jaas.policy and config.pd files

In the C:\WSAD\plugins\com.ibm.etools.server.jdk\jre\lib\security directory, create the following files:

config.pd

//// config.pd: Login configuration file for PDLoginModule 
 
pd-debug { 
   com.tivoli.mts.PDLoginModule required debug=true; 
}; 
 
pd { 
   com.tivoli.mts.PDLoginModule required; 
}; 
 
pd-nopass { 
   com.tivoli.mts.PDLoginModule required nameOnly=true; 
};

jaas.policy

grant Principal com.tivoli.mts.PDPrincipal "*" { 
		permission com.tivoli.mts.PDPermission "ignoreme","a"; 
};

Use the pd-debug login configuration to enable extra tracing of the Access Manager authentication during runtime. You should now be ready to do JAAS authentication and authorization against your Access Manager server, all from within your WebSphere Studio test environment. See the references below for more information on developing with JAAS.


8. Add WebSEAL junction for your WebSphere Studio test server (optional)

Do this step only if you want to integrate your Java code with Access Manager WebSEAL, which is a reverse proxy server that supports single-sign-on and increased, better-managed security.

On the WebSEAL server, start the Administration Command Prompt (pdadmin) and run the following commands to create a junction to your WebSphere Studio test server running on port 8080. Enter individual commands on one line and let the command prompt scroll as needed.

pdadmin> server task webseald-webseal hostname create -t tcp -h {wsad hostname} 
     -p 8080 -j -w -i -c iv-user /wsadXXX 
pdadmin> server task webseald-webseal hostname show /wsadXXX

where:

  • Replace webseal hostname with the hostname of the WebSEAL server.
  • Replace wsad hostname with the hostname of the WebSphere Studio workstation.
  • Replace XXX with the identifier for your workstation, such as your name, a unique number, or your hostname.

Now, if you request the following URL, you will actually be going through WebSEAL to get to your WebSphere Studio test server on port 8080:

https://{webseal-hostname}/wsadXXX

How to run the sample code

You can Download the sample code below. It provides an example of using the JAAS API to call Tivoli Access Manager. To get a full understanding of what is happening, read through the JSP and Java code, which is commented throughout.

Install the sample code into WebSphere Studio

Create a new Web project called JAAS-SampleWeb. Then import the JAAS-SampleWeb.war file into that project. Make sure your Web project is configured as a module for an EAR project.

Create Access Manager sample objects

In order to run the sample code, you must first create some sample objects in Access Manager, such as users, groups, and protected resources.

Start the pdadmin command line (it's called "Administration command prompt" on the Windows Start menu). Run the following script -- copy and paste works well -- after you have logged in as sec_master. The password for both users is passw0rd (with a zero in place of the "o").

################################################ 
# Access Manager Configuration for JAAS Sample # 
################################################ 
#Run these commands from the pdadmin command line. 
#Note: login as sec_master before running these commands. 
 
#create object space and protected resources 
objectspace create /MyApp "Protected objectspace for JAAS sample." 0 
object create /MyApp/MyProtectedResource "Protected resource for JAAS Sample" 0 
 
#create sampleAdmins group 
#NOTE: depending on your LDAP setup, you may have to change the distinguished 
name used below group create sampleAdmins 
cn=sampleAdmins,cn=groups,dc=ibm,dc=com sampleAdmins 
 
#create user arthur -- 
you could copy and change user name if you want to add more users 
#NOTE: depending on your LDAP setup, 
you may have to change the distinguished name used below 
user create arthur uid=arthur,cn=users,dc=ibm,dc=com arthur Arthur passw0rd 
user modify arthur account-valid yes 
 
#add user arthur to sampleAdmins group 
group modify sampleAdmins add arthur 
 
#create user igor, but don't add him to sampleAdmins group 
#NOTE: depending on your LDAP setup, 
you may have to change the distinguished name used below 
user create igor uid=igor,cn=users,dc=ibm,dc=com igor Igor passw0rd 
user modify igor account-valid yes 
 
#create sample_ACL 
acl create sample_ACL 
acl modify sample_ACL set group sampleAdmins Trx 
acl modify sample_ACL set description "Default ACL for JAAS sample." 
 
#attach sample_ACL to protected resource object 
acl attach /MyApp/MyProtectedResource sample_ACL

Run the sample

Configure and start a WebSphere Test Server in WebSphere Studio. Make sure you've added your EAR project to this server. Then simply click on the URLs below, which will call the test JSP in different ways:

A. Test with password not required, user Arthur

http://localhost:8080/JAAS-SampleWeb/SecurityHandlerTest.jsp?user=arthur&pwdRequired=no&resource=/MyApp/MyProtectedResource
Successful because Arthur is part of the sampleadmins group, which has r (read) access to the specified protected resource.

Figure 1. Authorization is successful.
Authorization is successful

B. Test with password not required, user Igor

http://localhost:8080/JAAS-SampleWeb/SecurityHandlerTest.jsp?user=igor&pwdRequired=no&resource=/MyApp/MyProtectedResource
Authorization fails because Igor is not a member of the sampleadmins group.

Figure 2. Authorization fails.
Authorization fails

C. Test with password required, user Arthur, password badpwd

http://localhost:8080/JAAS-SampleWeb/SecurityHandlerTest.jsp?user=arthur&pass=badpwd&pwdRequired=yes&resource=/MyApp/MyProtectedResource
This time, authentication fails because the password is incorrect.

Figure 3. Authentication fails: wrong password.
Authentication fails - wrong password

D. Test with password required, user Arthur, password passw0rd

http://localhost:8080/JAAS-SampleWeb/SecurityHandlerTest.jsp?user=arthur&pass=passw0rd&pwdRequired=yes&resource=/MyApp/MyProtectedResource
Now authentication succeeds because the password is correct, and authorization succeeds because arthur is a member of the sampleadmins group.

Figure 4. Authentication and authorization both succeed.
Authentication and authorization succeed

Disable arthur's account and see the result

Now try running the following command on the pdadmin command-line: user modify arthur account-valid no. Then execute the URL from case D above. You should get an AccountExpired exception:

Figure 5. Account is invalid.
Account is invalid

Conclusion

This article described the process for setting up your Websphere Studio development environment to use Tivoli Access Manager's JAAS implementation. You can use the same steps to set up any Java Runtime Environment, such as a development or production server. You should now be ready to write Java applications that talk to Access Manager via its implementation of the JAAS API.


Download

DescriptionNameSize
Code sampleDownload file JAAS-SampleWeb.zip  ( HTTP | FTP )0.1 MB

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=14069
ArticleTitle=Configuring WebSphere Studio to use Tivoli Access Manager and JAAS
publish-date=04232003