8.6.1 JAAS login module in WebSphere

The authentication process between a Java application client and a remote EJB is explained in Authentication process. In Figure 8-4 below, the simplified authentication process within WebSphere Application Server is given again to indicate the role of JAAS:

    • Java Clients send the authentication information to the Enterprise JavaBean (EJB) authenticator module. The authentication information can be Basic Authentication (simply a user ID and password pair) or a credential token (for LTPA).

    • The EJB authenticator module pass the authentication information to the Java Authentication and Authorization Service (JAAS) login module.

    • The login module used the specified authentication mechanism: either LTPA or SWAM.

    • For validating the authentication information, the authentication module uses either LocalOS, LDAP or custom registry.

    • Once authenticated, the login module creates a JAAS Subject (javax.security.auth.Subject). This subject, besides having the user's realm (getPrincipals()), also contain a CORBA credential in its public credential list attribute (getPublicCredentials()). This credential will be used by the authorization service to perform further access to any resources.

    Figure 8-4 Authentication process within WebSphere Application Server. Note the importance of the JAAS login Module.

    WebSphere Application Server provides JAAS login module for application, to perform programmatic authentication to the WebSphere Application Server security runtime. It has already several built-in JAAS login configurations that programmers can use directly, such as:

    WSLogin. This is a very generic JAAS login configuration that can be used by almost any application, including the Java application client, to perform authentication based on a user ID and password or a token.

    ClientContainer. Similar to WSLogin, this JAAS login configuration honors the CallbackHandler specified in the client container deployment descriptor. The login module of this login configuration uses the CallbackHandler in the client container deployment descriptor if one is specified, even if the application code specified one CallbackHandler in the LoginContext.

    In WebSphere, the information of the supported built-in JAAS login configurations can be found in the file wsjaas_client.conf. This file should be referred by the JVM runtime system property java.security.auth.login.config of the application client (see Example 8-1).