JAAS API
JAAS provides a standard API for defining pluggable authentication and Java 2 authorization extensions. Many LoginModules can be chained together using JAAS configuration files. User authentication is done by LoginModules and the authenticated user is represented by a Subject. A Subject may also own security-related attributes, which are referred to as credentials. Sensitive credentials that require special protection, such as private cryptographic keys, are stored within a private credential Set. Credentials intended to be shared, such as public key certificates, are stored within a public credential Set. WebSphere Application Server V5.1.1 and above uses JAAS for authentication. In WAS, Login modules authenticate the user, create the subject and populate it with security attributes information.
The security attribute propagation feature enables WAS to send security attribute information regarding the original login from one server to another server. Prior to V5.1.1, WAS authenticated the user and got the group information during login but passed only the identity of the user downstream. This has been significantly enhanced in version V5.1.1. and above. This enhanced feature is called security attribute propagation using which WAS can now pass security attribute information, including authenticated Subject contents and other custom security attributes downstream. These security attributes that can be transported to other application servers may be obtained during the initial login in the following ways:
- When WAS does the authentication, it can query the user registry for static security attributes like users language preference or e-mail, etc. and the subject is populated with these attributes.
- The security attributes may also be populated by using a custom login module in WAS. The custom login module may be used for populating the dynamic attributes like users login time, location of the login, IP address of the original user. The custom login module can insert custom security attributes in the Subject which contains the static as well as dynamic information.
- If there is an external security server like Tivoli Access Manager involved, the security attributes may be propagated using the appropriate Trust Association Interceptor for that reverse proxy server. The enhanced TAI++ interface is able to assert a fully populated subject which can be propagated to other servers.
The custom attributes or tokens in Subject are not used by WAS for authentication or authorization. However WAS will still handle propagation of these customized tokens but it does not do serialization or deserialization of the custom tokens. The Java programming language specifies the rules for how Java code can serialize and deserialize an object. The serialization and deserialization of the custom tokens should be carried out by the implementation and handled in the custom login module.