Control which users have specific permissions to access
the data grid through the policy file.
About this task
Even if a client is authenticated, that might not be enough
to protect data grid access. If you use the KeyStoreLoginAuthenticator,
usually you only define a few identities, and all of the identities
might have full access to the data grid. In this case, authorization
might not be necessary. However, if LDAP authentication is used, there
might be many identities in the LDAP server that must not be granted
access to grid data or operations.
Procedure
- Enable access control for the data grid.
Specify
securityEnabled=”true”
in the
ObjectGrid.xml file for the deployed data grid.
Specify this setting for each
grid you define. After you configure this setting, no reads or writes
are run on data grid entries except for identities that have been
granted permissions in a policy file.
- Create a policy file.
See the following example
policy file:
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal javax.security.auth.x500.X500Principal "CN=cashier,O=acme,OU=OGSample" {
permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "read";
};
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample" {
permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "all";
};
Policy files can grant various permissions, depending
on the authorization of the user. For more information about how
to create this file, see
Java SE security tutorial - Step 5.
- Configure each container server to load this policy file.
You can complete this configuration by starting the container
with the following JVM argument:
-Djava.security.policy=<policy file>
Tip: This policy file is also used in controlling administrative
access to data grid servers. When you use this policy file to control
administrative access, the policy file must contain MBeanPermission
entries, and must be loaded by catalog servers and container servers.