Configuring programmatic logins for Java Authentication and Authorization Service
A new JAAS login configuration can be added and modified using the administrative console. The changes are saved in the cell-level security document and are available to all managed application servers.
Before you begin
Java™ Authentication and Authorization Service (JAAS) is a feature in WebSphere® Application Server. JAAS is a collection of WebSphere Application Server strategic authentication APIs and replaces the Common Object Request Broker Architecture (CORBA) programmatic login APIs.
- com.ibm.websphere.security.auth.WSSubject. The com.ibm.websphere.security.auth.WSSubject API extends the JAAS authorization model to Java Platform, Enterprise Edition (Java EE) resources.
- You can configure the JAAS login in the administrative console
and store this login configuration in the Application Server configuration.
However, WebSphere Application Server still
supports the default JAAS login configuration format (plain text file)
that is provided by the JAAS default implementation. If duplicate
login configurations are defined in both the WebSphere Application Server configuration
API and the plain text file format, the one in the WebSphere Application Server configuration
API takes precedence. Advantages to defining the login configuration
in the WebSphere configuration API include:
- User interface support in defining JAAS login configuration
- Central management of the JAAS login configuration
- Distribution of the JAAS login configuration during installation
- Proxy LoginModule. The Proxy LoginModule loads the actual
LoginModule module. The default JAAS implementation does not use the
thread context class loader to load classes. The LoginModule module
cannot load if the LoginModule class file is not in the application
class loader or the Java extension
class loader class path. Due to this class loader visibility problem, WebSphere Application Server provides a proxy
LoginModule module to load the JAAS LoginModule using the thread context
class loader. You do not need to place the LoginModule implementation
on the application class loader or the class path for the Java extension class loader with this proxy
LoginModule module.
If you do not want to use the Proxy LoginModule module, you can place the LoginModule module in the WAS_HOME/lib/ext/ directory. However, this action is not recommended due to the security risks.
JAAS login configurations are defined in the WebSphere Application Server configuration application programming interface (API) security document. Click Security > Global security. Under Java Authentication and Authorization Service, click Application logins. The following JAAS login configurations are available:
- ClientContainer
- Defines a login configuration and a LoginModule implementation that is similar to that of the WSLogin configuration, but enforces the requirements of the WebSphere Application Server client container. For more information, see Configuration entry settings for Java Authentication and Authorization Service.
- DefaultPrincipalMapping,
- Defines a special LoginModule module that is typically used by Java EE connectors to map an authenticated WebSphere Application Server user identity to a set of user authentication data (user ID and password) for the specified back-end enterprise information system (EIS). For more information about Java EE Connector and the DefaultMappingModule module, refer to the Java EE security section.
- WSLogin
- Defines a login configuration and a LoginModule implementation that applications can use in general.
A new JAAS login configuration can be added and modified using the administrative console. The changes are saved in the cell-level security document and are available to all managed application servers. An application server restart is required for the changes to take effect at run time.
Procedure
Results
However, new JAAS login configurations that are defined in the app_server_root/properties/wsjaas.conf file, do not refresh automatically. Restart the application servers to validate changes. These JAAS login configurations are specific to a particular node and are not available for other application servers running on other nodes.