Java Authentication Service Provider Interface for Containers (JASPIC)

The Java™ Authentication Service Provider Interface for Containers (JASPIC) specification defines a service provider interface (SPI). Authentication providers, that implement message authentication mechanisms, can be integrated in client or server message processing containers or runtimes.

About this task

Authentication providers that are integrated through the JASPIC interface, operate on network messages that are provided by their calling container. The providers transform outgoing messages so that the source of the message can be authenticated by the receiving container, and the recipient of the message can be authenticated by the message sender. Incoming messages are authenticated and returned to their calling container, which is the identity that is established as a result of the message authentication.

JSR 196 defines a standard SPI, and standardizes how an authentication module is integrated into Java EE containers. A message processing model and details of a number of interaction points on the client and server are provided. A compatible web container uses the SPI at these points to delegate the corresponding message security processing to a server authentication module (SAM).

Liberty supports the use of third-party authentication providers that are compliant with the servlet container that is specified in jaspic-1.1. The servlet container defines interfaces that are used by the security runtime environment in collaboration with the web container. These start authentication modules before and after a web request is processed by an application. Authentication that uses JASPIC modules is used only when JASPIC is enabled in the security configuration.

Procedure

  1. Create an OSGi Bundle Project to develop the Java class.
    Your project might have compile errors. To fix these errors, you need to import two packages, javax.security.auth.message and com.ibm.wsspi.security.jaspi. The Target Platform must be edited to add the missing JARs into the lists com.ibm.ws.security.jaspic from <cics_install>/wlp/lib directory and com.ibm.ws.javaee.jaspic.<version_number> from <cics_install>/wlp/dev/api/spec directory. FTP these to your development system and add them to the build path.

    Edit the file MANIFEST.MF to import the missing package.

    Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: com.example.myjaspic.osgiBundle
Bundle-SymbolicName: com.example.myjaspic.osgiBundle
Bundle-Version: 1.0.0
Bundle-RequiredExecutionEnvironment: JavaSE-1.7
Import-Package: com.ibm.wsspi.security.jaspi;version="1.0.13",
javax.security.auth.message;version="1.0.0",
javax.security.auth.message.callback;version="1.0.0",
javax.security.auth.message.config;version="1.0.0",
javax.security.auth.message.module;version="1.0.0",
javax.servlet;version="2.7.0",
javax.servlet.http;version="2.7.0"
Service-Component: myjaspicExampleComponent.xml

    An example of the service component XML, myjaspicExampleComponent.xml:

    <?xml version="1.0" encoding="UTF-8"?>
<scr:component xmlns:scr="http://www.osgi.org/xmlns/scr/v1.1.0" name="com.example.myjaspic.osgiBundle">
    <implementation class="com.example.myjaspic.osgiBundle.TestJASPICProviderService"/>
    <service>
        <provide interface="com.ibm.wsspi.security.jaspi.ProviderService"/>
    </service>
</scr:component>
  2. Create a Liberty Feature Project to add the previous OSGi bundle into the user Liberty feature, under Subsystem-Content in the feature manifest file.
  3. Edit the feature manifest to add the necessary OSGi subsystem content: com.ibm.websphere.appserver.jaspic-1.1; type="osgi.subsystem.feature". 
    Subsystem-ManifestVersion: 1.0
IBM-Feature-Version: 2
IBM-ShortName: jaspic11CICSLiberty-1.0
Subsystem-SymbolicName: com.example.myjaspic.libertyFeature;visibility:=public
Subsystem-Version: 1.0.0.201611081617
Subsystem-Type: osgi.subsystem.feature
Subsystem-Content: com.example.myjaspic.osgiBundle;version="1.0.0",
  com.ibm.websphere.appserver.jaspic-1.1;type="osgi.subsystem.feature",
  com.ibm.websphere.appserver.servlet-3.0;ibm.tolerates:="3.1";type="osgi.subsystem.feature"
Manifest-Version: 1.0

    If you need to add one more Subsystem-Content, you must add at least one space before you type the content. If you do not add a space, CICS® returns java.lang.IllegalArgumentException.

  4. Export the Liberty Feature Project as a Liberty Feature (ESA) file.
  5. FTP the ESA file to zFS.
  6. Use installUtility to install the ESA file. 
    ./wlpenv installUtility install myFeature.esa
  7. Add the jaspic-1.1 feature and the ESA file containing the JASPIC provider as a user feature to server.xml. 
    <feature>jaspic-1.1</feature>
<feature>usr:jaspic11CICSLiberty-1.0</feature>