Java 2 Connector security

 

Java 2 Connection authentication data entries are used by resource adapters and JDBC data sources. A Java 2 Connection authentication data entry contains authentication data.

The connector architecture defines a standard architecture for connecting the J2EE to heterogeneous Enterprise Information Systems. Examples of EIS include ERP, mainframe transaction processing (TP) and database systems.

The connector architecture enables an EIS vendor to provide a standard resource adapter for its EIS. The resource adapter plugs into an appserver and provides connectivity between the EIS, the application server, and the enterprise application.

Information in EIS must be protected from unauthorized access. The J2C security architecture is designed to extend the end-to-end security model for J2EE-based applications to include integration with EISs. Appservers and EIS servers collaborate to ensure the proper authentication of a resource principal. Commonly-supported authentication mechanisms include:

BasicPassword Basic user-password-based authentication, specific to an EIS
Kerbv5 Kerberos Version 5-based authentication

WAS implementation of a Java 2 connection supports basic password authentication mechanisms.

User IDs and passwords are supplied by applications or by the appserver.

WAS uses JAAS to perform principal mapping. The DefaultPrincipalMapping LoginModule converts authenticated principals to the pre-configured EIS resource principal. Subsequently, you can plug in their principal mapping LoginModule through the JAAS plug-in.

 

J2C mapping module configuration

When a J2C Factory is configured for container-managed signon, WAS uses the configured principal mapping module to create a Subject instance that contains a user ID and password for the target EIS.

Mapping modules are special JAAS login modules that provide principal and credential mapping functionality. One can define and configure custom mapping modules through the administrative console. Associated with the mapping module configuration is a set of user IDs and passwords that you can define in the security configuration with a specified alias name. The WAS run time passes the user ID, password and a reference of the connection factory manager to the configured mapping module to create a subject.

For more information about mapping module requirements, please refer to the Javadoc of the WSDefaultPrincipalMapping class. For more detailed information about developing a mapping module, refer to the Developing your own Java 2 security mapping module article.

 

J2C mapping module programming reference

One can develop your own mapping module if your application requires more sophisticated mapping functions. One can use the WSSubject.getCallerPrincipal() method to retrieve the application client identity. The subject instance contains a WSPrincipal instance in the principals set and a WSCredential instance in the set of public credentials.


Developing your own J2C principal mapping module