Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
1 reply Latest Post - ‏2013-08-27T14:52:23Z by utle@us.ibm.com
Sanjay.Dev
Sanjay.Dev
1 Post
ACCEPTED ANSWER

Pinned topic Jaas configuration query

‏2013-08-26T13:01:05Z |

My application is already supported on WAS 8.5

I am trying to configure it on WAS Liberty 8.5.5

Here is the Jaas  configuration necessary for this application. Attached screen shot.(1.jpeg)

I want to configure the same for Liberty server.According to the info center no explicit configuration is needed for jaas authentication unless we are using custom module.

http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.wlp.nd.doc%2Fae%2Fcwlp_authentication.html

I would like to know if by default in liberty if there is a configuration for WSProxy login module to deligate

to WSLoginModuleImpl? I am also pasting my server.xml file and jvm.options file.

If I want to configure a new jaas application login on liberty with alias name FileNet should i use a custom login module?

 

<server description="new server">

    <!-- Enable features -->
    <featureManager>
      <feature>webProfile-6.0</feature>
      <feature>jaxrs-1.1</feature>
      <feature>appSecurity-2.0</feature>
      <feature>ejbLite-3.1</feature>
      <feature>ldapRegistry-3.0</feature>
      <feature>wsSecurity-1.1</feature>
    </featureManager>

  <ldapRegistry id="ldap" realm="ldapRegistryRealm"
    host="9.122.215.105" port="389" ignoreCase="true"
    baseDN="cn=users,dc=ecm,dc=ibm,dc=local"
    bindDN="cn=p8admin,cn=users,dc=ecm,dc=ibm,dc=local"
    bindPassword="filenet"
    ldapType="Microsoft Active Directory"
    userFilter="(&amp;(sAMAccountName=%v)(objectclass=user))"
    groupFilter="(&amp;(cn=%v)(objectcategory=group))"
    userIdMap="user:sAMAccountName"
    groupIdMap="*:cn"
    groupMemberIdMap="memberOf:member"
    sslEnabled="false"
    sslRef="LDAPSSLSettings">
    </ldapRegistry>


<ltpa keysFileName="fnltpa.keys" keysPassword="filenet" expiration="120" />

   <!-- <application context-root="AjaxProxy" type="ear" id="AjaxProxy"
    location="AjaxProxy.ear" name="AjaxProxy">
    <application-bnd>
        <security-role name="All Authenticated">
            <special-subject type="EVERYONE" />
        </security-role>
    </application-bnd>
     </application> -->


    <application context-root="CaseBuilder" type="ear" id="casebuilder"
    location="CaseBuilder.ear" name="CaseBuilder">
    <application-bnd>
        <security-role name="All Authenticated">
            <special-subject type="ALL_AUTHENTICATED_USERS" />
        </security-role>
    </application-bnd>
    
        <classloader delegation="parentLast">
        <commonLibrary>
            <fileset dir="c:/jc/jass.conf" includes="jass.conf.WebSphere"/>
        </commonLibrary>
        </classloader>
    </application>

    <application context-root="CaseManager" type="ear" id="casemanager"
    location="CaseManager.ear" name="CaseManager">
    <application-bnd>
        <security-role name="All Authenticated">
            <special-subject type="ALL_AUTHENTICATED_USERS" />
        </security-role>
    </application-bnd>
    
    <classloader delegation="parentLast">
        <commonLibrary>
            <fileset dir="c:/jc/jass.conf" includes="jass.conf.WebSphere"/>
                <fileset dir="C:/wlp/wlp/usr/servers/libertyserver1/apps/CaseManager.ear/CaseManager.war/WEB-INF/lib" incudes="*.jar"/>
        </commonLibrary>
        </classloader>

     </application>


 <!--  <basicRegistry id="basic" realm="customRealm">
         <user name="p8admin" password="filenet" />
    </basicRegistry> -->
    
    <authCache initialSize="100" maxSize="50000" timeout="15m"/>

    <authentication id="Basic" cacheEnabled="true" />    

    <httpEndpoint id="defaultHttpEndpoint"
                  host="localhost"
                  httpPort="9080"
                  httpsPort="9443" />


</server>

 

####################JVM.options#################

-Djava.security.auth.login.config="C:\jc\jaas.conf.WebSphere"
-Dsun.net.http.allowRestrictedHeaders=true
-DmaxHttpCacheAge=5

 

content of jaas.conf.WebSphere:


FileNetP8 {
     com.ibm.ws.security.common.auth.module.WSLoginModuleImpl required;
};

FileNetP8WSI {
    com.filenet.api.util.WSILoginModule required;
};




FileNetP8Engine {
    com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy required
                        delegate=com.ibm.ws.security.common.auth.module.WSLoginModuleImpl;
};

FileNetP8Server {
    com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy required
                        delegate=com.ibm.ws.security.common.auth.module.WSLoginModuleImpl;
};

FileNetP8KerberosService {
    com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy required
                        delegate=com.filenet.engine.authentication.kerberos.login.KrbServiceLoginModule;
    com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy required
                        delegate=com.ibm.ws.security.server.lm.ltpaLoginModule;
    com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy required
                        delegate=com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule;
};
 

 

 

Attachments

  • utle@us.ibm.com
    utle@us.ibm.com
    8 Posts
    ACCEPTED ANSWER

    Re: Jaas configuration query

    ‏2013-08-27T14:52:23Z  in response to Sanjay.Dev

    Hi,

    1) There is no JAAS login context entry configuration for WSProxy by default.

    2) If you have a JAAS custom login module, then you have to configure a  custom JAAS login module. You don't need to specify WSLoginModuleProxy for custom login module in 8.5.5, the run time will automatic add the WSLoginModuleProxy for all JAAS custom login modules. 

    You will need to configure JAAS custom login module as following example:

       
        <jaasLoginContextEntry id="fileNetP8KerberosService" name="fileNetP8KerberosService" loginModuleRef="krbServiceLoginModule,hashtable,userNameAndPassword,certificate,token" />
     <jaasLoginModule id="krbServiceLoginModule" className="com.filenet.engine.authentication.kerberos.login.KrbServiceLoginModule" controlFlag="REQUIRED" libraryRef="customLoginLib"/>
        </jaasLoginModule>


        <library id="customLoginLib">
         <fileset dir="${server.config.dir}" includes="krbServiceLoginModule.jar"/>
        </library>
     

    Regards,

    Ut