IBM Streams 4.3.0

JAAS login configuration file example

This example shows the format of the JAAS login configuration file and provides information about several file elements and attributes. For more information about the file elements and attributes, see the notes that follow the example.

Figure 1. JAAS login configuration file example

<?xml version="1.0" encoding="UTF-8"?>

<securityDomain xmlns="http://www.ibm.com/xmlns/prod/streams/security/domain/config/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <authentication>
   <jaas>       
     <jaasConfig name="streams-jaas">
       <loginModule moduleClass="com.ibm.streams.security.authc.module.X509CertLoginModule" flag="sufficient">
       </loginModule>

       <loginModule moduleClass="com.ibm.streams.security.authc.module.PAMLoginModule" flag="sufficient">
        <moduleOption name="service" value="login" />
       </loginModule>

       <loginModule moduleClass="com.ibm.streams.security.authc.module.LDAPLoginModule" flag="sufficient">
       <moduleOption name="serverUrl" value="ldap://bluepages.ibm.com:389" />
       <moduleOption name="userDnPattern" value="uid=*,c=us,ou=bluepages,o=ibm.com" />
       <moduleOption name="userSecondaryLookup" value="(&amp;(objectclass=ibmperson)(notesshortname=*)) uid" />
       <moduleOption name="groupObjectclass" value="groupOfUniqueNames" />
       <moduleOption name="groupSearchBaseDn" value="ou=memberlist,ou=ibmgroups,o=ibm.com" />
       <moduleOption name="groupAttributeWithUserNames" value="uniquemember" />
       <moduleOption name="userAttributeStoredInGroupAttribute" value="dn" />
      </loginModule>
     </jaasConfig>
    </jaas>
   </authentication>
</securityDomain>

Notes:

You can specify one or more <loginModule> elements under the <jaasConfig> element.
Authentication occurs in the order that you list the login modules.
The moduleClass attribute specifies the fully qualified implementation class name.
The flag attribute controls the behavior as authentication proceeds down the list of modules, which is one of the following values:
- required: The login module is required to succeed. Authentication continues to proceed down the login module list even if the login module succeeds or fails.
- requisite: The login module is required to succeed. If it succeeds, authentication continues down the login module list. If it fails, authentication does not proceed down the login module list and control returns to the application.
- sufficient: The login module is not required to succeed. If it succeeds, authentication does not proceed down the login module list and control returns to the application. If it fails, authentication continues down the login module list.
- optional: The login module is not required to succeed. If it succeeds or fails, authentication continues to proceed down the login module list.

Overall authentication succeeds if all required and requisite login modules succeed. If a sufficient login module is configured and succeeds, only the required and requisite login modules before that sufficient login module need to succeed for the overall authentication to succeed. If no required or requisite login modules are configured for an application, at least one sufficient or optional login module must succeed.

Table 1. Login module configuration scenarios
Login module	Flag	Scenario 1	Scenario 2	Scenario 3	Scenario 4	Scenario 5	Scenario 6	Scenario 7	Scenario 8
A	required	PASS	PASS	PASS	PASS	FAIL	FAIL	FAIL
B	sufficient	PASS	FAIL	FAIL	FAIL	PASS	FAIL	FAIL	PASS
C	requisite		PASS	PASS	FAIL		PASS	PASS
D	optional		PASS	FAIL			PASS	FAIL
Overall authentication		PASS	PASS	PASS	FAIL	FAIL	FAIL	FAIL	PASS

Module options can be specified in the <moduleOption> element as a name pair value. You can specify zero or more <moduleOption> elements under the <loginModule> element.