Configuring JAAS for database authentication

You can use Java™ Authentication and Authorization Service (JAAS) for database authentication.

About this task

You can use a JAAS login context entry to specify a custom login module to use for setting the username and password to authenticate to a database.

Procedure

  1. Add the appSecurity-2.0, jdbc-4.0, and jca-1.6 features in the server.xml file. You can also add appSecurity-2.0, jdbc-4.1, and jca-1.7. For example:
    
    <featureManager>
       <feature>appSecurity-2.0</feature>
       <feature>jdbc-4.0</feature>
       <feature>jca-1.6</feature>
    </featureManager>
    Stabilized feature: The jca-1.6 feature is stabilized. You can continue to use the jca-1.6 feature. However, consider using a later JCA feature.
  2. Configure a jaasLoginContextEntry element in the server.xml file with the login module to use. For example:
    
    <jaasLoginContextEntry id="myJAASLoginEntry" name="myJAASLoginEntry" loginModuleRef="myLoginModule" />
    	<jaasLoginModule id="myLoginModule" className="my.package.MyLoginModule" controlFlag="REQUIRED" libraryRef="customLoginLib"/>
    
    	<library id="customLoginLib">
    	  <fileset dir="${server.config.dir}" includes="MyLoginModule.jar"/>
            </library>
  3. Configure the dataSource element jaasLoginContextEntryRef attribute with the ID of the jaasLoginContextEntry element that you configured in step , as shown in the following example.
    
    <dataSource id="ds1" jndiName="jdbc/ds1" jdbcDriverRef="DB2" 
                jaasLoginContextEntryRef="myJAASLoginEntry" .../>

    However, this jaasLoginContextEntryRef value is used by the configuration only if the data source is identified in the EAR application.xml file or WAR web.xml file by using a res-ref JNDI reference that specifies a res-auth value of Container. Otherwise, the jaasLoginContextEntryRef value is ignored.

    The following example demonstrates the application.xml or web.xml configuration that is required when you specify a custom login module by defining a jaasLoginContextEntryRef value in the sever.xml file.
    <resource-ref>
    	 <res-ref-name>java:app/jdbc/ds1</res-ref-name>
    	 <res-type>javax.sql.DataSource</res-type>
    	 <res-auth>Container</res-auth>
    </resource-ref>
    
  4. As an alternative to step 3, you can configure a custom-login-configuration element in the deployment descriptor ibm-web-bnd.xml file of your application. The name attribute must match the id attribute for jaasLoginContextEntry that is defined in the server.xml file. For example:
    
    <resource-ref name="jdbc/ds1ref" binding-name="jdbc/ds1">
       <custom-login-configuration name="myJAASLoginEntry">
         <property name="property1" value="value1"/>
       </custom-login-configuration>
    </resource-ref>