Configure application logins for JAAS

 

Overview

The following three JAAS login configurations are available:

WSLogin

Defines a login configuration and a LoginModule implementation that applications can use in general.

ClientContainer

Defines a login configuration and a LoginModule implementation that is similar to that of the WSLogin configuration, but enforces the requirements of the WAS client container.

DefaultPrincipalMapping,

Defines a special LoginModule module that is typically used by Java 2 Connector to map an authenticated WebSphere user identity to a set of user authentication data (user ID and password) for the specified back-end enterprise information system (EIS).

A new JAAS login configuration can be added and modified using the administrative console. The changes are saved in the cell-level security document and are available to all managed appservers. An appserver restart is required for the changes to take effect at run time.

Note: Do not remove or delete the predefined JAAS login configurations (ClientContainer, WSLogin and DefaultPrincipalMapping). Deleting or removing them can cause other enterprise applications to fail.

 

Steps for this task

1. Delete a JAAS login configuration.

   1. Click...

      Security | JAAS Configuration | Application Logins

   2. Select the check box for the login configurations to delete and click Delete.

2. Create a new JAAS login configuration.

   Security | JAAS Configuration | Application Logins | New

   1. Specify the alias name of the new JAAS login configuration and click Apply.

      This value is the name of the login configuration that you pass in the javax.security.auth.login.LoginContext implementation for creating a new LoginContext.

      Click Apply to save changes and to add the extra node name that precedes the original alias name. Clicking OK does not save the new changes in the security.xml file.

   2. Click...

      JAAS Login Modules | New

   3. Specify the Module Classname.

      Specify WebSphere Proxy LoginModule because of the limitation of the class loader visibility problem.

   4. Specify the LoginModule implementation as the delegate property of the Proxy LoginModule.

      The WebSphere Proxy LoginModule class name is com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy.

   5. Select Authentication Strategy from the list and click Apply.

   6. Click Custom Properties.

      The Custom Properties panel is displayed for the selected LoginModule.

   7. Create a new property with the name delegate and the value of the real LoginModule implementation.

      You can specify other properties like debug with the value true. These properties are passed to the LoginModule class as options to the initialize() method of the LoginModule instance.

   8. Click Save.

      For a Network Deployment installation, make sure that a file synchronization operation is performed to propagate the changes to other nodes.

   There are several locations within the WAS directory structure where you can place a JAAS login module. The following list provides locations for the JAAS login module in order of recommendation:

   • Within an Enterprise Archive (EAR) file for a specific Java 2 Enterprise Edition (J2EE) application.

     If you place the login module within the EAR file, it is accessible to the specific application only.

   • In the WAS shared library.

     If you place the login module in the shared library, specify which applications can access the module.

   • In the Java extensions directory...

     $WAS_HOME/jre/lib/ext

     If you place the JAAS login module in the Java extensions directory, the login module is available to all applications.

   Although the Java extensions directory provides the greatest availability for the login module, it is recommended that you place the login module in an application EAR file. If other applications need to access the same login module, consider using shared libraries.

3. Change the plain text file.

   WAS supports the default JAAS login configuration format (plain text file) provided by the JAAS default implementation. However, a tool is not provided that edits plain text files in this format. You can define the JAAS login configuration in the plain text file (install_root/properties/wsjaas.conf). Any syntax errors can cause the incorrect parsing of the plain JAAS login configuration text file. This problem can cause other applications to fail.

   Java client programs that use the JAAS for authentication must invoke with the JAAS configuration file specified. This configuration file is set in the...

   /install_root/bin/launchClient.bat

   ...file as...

   set JAAS_LOGIN_CONFIG=-Djava.security.auth.login.config=%install_root%\properties\wsjaas_client.conf

   If the launchClient.bat file is not used to invoke the Java client program, verify that the appropriate JAAS configuration file is passed to the Java virtual machine with the flag...

   -Djava.security.auth.login.config

 

Results

A new JAAS login configuration is created or an old JAAS login configuration is removed. An enterprise application can use a newly created JAAS login configuration without restarting the appserver process.

However, new JAAS login configurations defined in the install_root/properties/wsjaas.conf file, do not refresh automatically. Restart the appservers to validate changes. These JAAS login configurations are specific to a particular node and are not available for other appservers running on other nodes.

Java Authentication and Authorization Service (JAAS) is a collection of authentication APIs. WAS provides some extensions to JAAS:

• com.ibm.websphere.security.auth.WSSubject.

  Extends the JAAS authorization model to J2EE resources.

• You can configure JAAS login in the administrative console and store this configuration in the WebSphere configuration API. However, WAS still supports the default JAAS login configuration format (plain text file) provided by the JAAS default implementation.

  If duplicate login configurations are defined in both the WebSphere configuration API and the plain text file format, the one in the WebSphere configuration API takes precedence. Advantages to defining the login configuration in the WebSphere configuration API include:

  • User interface support in defining JAAS login configuration
  • Central management of the JAAS login configuration
  • Distribution of the JAAS login configuration in a Network Deployment product installation

  Due to a design oversight in the JAAS V1.0, javax.security.auth.Subject.getSubject() method does not return the subject associated with the running thread inside a java.security.AccessController.doPrivileged() code block. This problem presents an inconsistent behavior that is problematic and causes undesirable effort. The com.ibm.websphere.security.auth.WSSubject API provides a workaround to associate the subject to a running thread.

• Proxy LoginModule.

  The Proxy.LoginModule API stores login module .jar files. The default JAAS implementation does not use the thread context class loader to load classes. The LoginModule module cannot load if the LoginModule class file is not in the application class loader or the Java extension class loader class path. Due to this class loader visibility problem, WAS provides a proxy LoginModule module to load the JAAS LoginModule using the thread context class loader. You do not need to place the LoginModule implementation on the application class loader or the Java extension class loader class path with this proxy LoginModule module.

  If you do not want to use the Proxy LoginModule, you can place the LoginModule in the jre/lib/ext directory. However, this is not recommended due to the security risks.

Two JAAS login configurations are defined in the WebSphere Configuration API security document for applications to use. In the left navigation pane, click...

Security > JAAS Configuration > Application Login > WSLogin and ClientContainer

 

What to do next

Use these newly defined JAAS login configurations to perform programmatic login.

---

Java 2 Connector security
Programmatic login

Developing programmatic logins with the Java Authentication and Authorization Service
Managing shared libraries

Login configuration for Java Authentication and Authorization Service
Configuration entry settings for Java Authentication and Authorization Service
System login configuration entry settings for Java Authentication and Authorization Service
Login module settings for Java Authentication and Authorization Service
Login module order settings for Java Authentication and Authorization Service
Application login configuration settings for Java Authentication and Authorization Service

 

---