You can configure a custom Java™ Authentication
and Authorization Service (JAAS) login module before or after you
have configured the Liberty profile server login module.
Before you begin
Make sure you have a JAR file containing the JAAS custom
login module, which implements the javax.security.auth.spi.LoginModule interface
as described in Developing JAAS custom login modules for a system login configuration. In
this topic, JAAS custom login module uses hashtable, callbacks or
shared state variables provided by the Liberty profile server to pass
authentication data to the system login module.
About this task
You can use a custom login module to either make additional
authentication decisions or add information to the subject to make
finer-grained authorization decisions inside your application. See JAAS configuration and JAAS login modules for
a more detailed overview.
You can also use the
developer tools to configure a custom JAAS login module. See Configuring JAAS on the Liberty profile by using developer tools. There are several security configuration examples on the wasdev.net website for reference when configuring security for your applications on the Liberty profile. See Configuring JAAS on the Liberty profile by using developer tools.
To
configure a JAAS custom login module, complete the following steps:
Procedure
- Enable the appSecurity-2.0 Liberty
feature in the server.xml file.
<featureManager>
<feature> appSecurity-2.0</feature>
</featureManager>
- Create a class com.sample.CustomLoginModule that
implements the LoginModule interface and package
it into the CustomLoginModule.jar file.
- Create a <library> element that uses
a <fileset> element indicating where the CustomLoginModule.jar file
is. In this example, the library id is customLoginLib.
<library id="customLoginLib">
<fileset dir="${server.config.dir}" includes="CustomLoginModule.jar"/>
</library>
- Create a <jaasLoginModule> element.
In this example, the id is custom.
- Configure the custom login module to require a successful
authentication by setting the controlFlag attribute
to REQUIRED.
- Set the libraryRef attribute to customLoginLib,
the id of the <library> element
configured in the previous step. This login module also has two options: UserRegistry is ldap and mapToUser is user1.
<jaasLoginModule id="myCustom"
className="com.sample.CustomLoginModule"
controlFlag="REQUIRED" libraryRef="customLoginLib">
<options myOption1="value1" myOption2="value2"/>
</jaasLoginModule>
- Create a <jaasLogincontextEntry> element
with an id and name of the
system-defined JAAS configuration: system.WEB_INBOUND. You can also
set this JAAS configuration to system.DEFAULT, WSLogin, or your own
JAAS configuration. On the loginModuleRef attribute,
add custom, the id of
the jaasLoginModule element created in the previous
step. Putting this id first in the list means
that it is the first JAAS login module to be called. You must also
list the other default login modules: hashtable, userNameAndPassword, certificate,
and token.
<jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND"
loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token" />
Note: The option name cannot start with a period (.), config.,
or service. Also, the property name id or ID is
not allowed.
For more information about the <jaasLoginContextEntry>, <jaasLoginModule>, <options>,
and <library> elements, see Liberty profile: Configuration elements in the server.xml file.