Lesson 4.2: Enable user-based authorization
In the authentication module of this tutorial, you created two users: operator and manager. You can assign varying permissions to these users with Java™ Authentication and Authorization Service (JAAS) authorization.
Defining the Java Authentication and Authorization Service (JAAS) authorization policy using user principals
About this task
Procedure
Edit the JAAS authorization file.
The xsAuth3.policy file is in the samples_home/security_extauth directory.
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal javax.security.auth.x500.X500Principal
"CN=operator,O=acme,OU=OGSample" {
permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "read";
};
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal javax.security.auth.x500.X500Principal
"CN=manager,O=acme,OU=OGSample" {
permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "all";
};
In this file, the http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction codebase is a specially reserved URL for ObjectGrid. All ObjectGrid
permissions that are granted to principals should use this special
code base. The following permissions are assigned in this file: - The first grant statement grants read map permission to the "CN=operator,O=acme,OU=OGSample" principal. The "CN=operator,O=acme,OU=OGSample" user has only map read permission to the Map1 map the Grid ObjectGrid instance.
- The second grant statement grants all map permission to the "CN=manager,O=acme,OU=OGSample" principal. The "CN=manager,O=acme,OU=OGSample" user has all permissions to the Map1 map in the Grid ObjectGrid instance.
Setting the JAAS authorization policy file using JVM properties
About this task
Procedure
Running the sample application to test authorization
About this task
Procedure
Results
Lesson checkpoint
In this lesson, you configured authorization by assigning permissions to specific users.