Configure a JAAS custom login module for the Liberty profile

We can configure a custom Java Authentication and Authorization Service (JAAS) login module before or after we have configured the Liberty profile server login module.

Make sure we have a JAR file containing the JAAS custom login module, which implements the javax.security.auth.spi.LoginModule interface as described in Develop JAAS custom login modules for a system login configuration. In this topic, JAAS custom login module uses hashtable, callbacks or shared state variables provided by the Liberty profile server to pass authentication data to the system login module.

We can use a custom login module to either make additional authentication decisions or add information to the subject to make finer-grained authorization decisions inside the application. See JAAS configuration and JAAS login modules for a more detailed overview.
We can also use the developer tools to configure a custom JAAS login module. See Configure JAAS on the Liberty profile using developer tools. There are several security configuration examples on the WASdev.net website for reference when configuring security for the applications on the Liberty profile. See Configure JAAS on the Liberty profile using developer tools.

To configure a JAAS custom login module:

1. Enable the appSecurity-2.0 Liberty feature in server.xml.

   <featureManager>
       <feature>appSecurity-2.0</feature>
   </featureManager>

2. Create a class com.sample.CustomLoginModule that implements the LoginModule interface and package it into the CustomLoginModule.jar file.

3. Create a <library> element that uses a <fileset> element indicating where the CustomLoginModule.jar file is. In this example, the library id is customLoginLib.

   <library id="customLoginLib">
       <fileset dir="${server.config.dir}" includes="CustomLoginModule.jar"/>
   </library> 

4. Create a <jaasLoginModule> element. In this example, the id is custom.

   1. Configure the custom login module to require a successful authentication by setting the controlFlag attribute to REQUIRED.

   2. Set the libraryRef attribute to customLoginLib, the id of the <library> element configured in the previous step. This login module also has two options: UserRegistry is ldap and mapToUser is user1.

   <jaasLoginModule id="myCustom" 
                    className="com.sample.CustomLoginModule" 
                    controlFlag="REQUIRED" libraryRef="customLoginLib">
       <options myOption1="value1" myOption2="value2"/>
   </jaasLoginModule>

5. Create a <jaasLogincontextEntry> element with an id and a unique name of the system-defined JAAS configuration: system.WEB_INBOUND. We can also set this JAAS configuration to system.DEFAULT, WSLogin, or our own JAAS configuration. On the loginModuleRef attribute, add custom, the id of the jaasLoginModule element created in the previous step. Putting this id first in the list means that it is the first JAAS login module to be called. Also list the other default login modules: hashtable, userNameAndPassword, certificate, and token.

   <jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND" 
                    loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token"  />

   The option name cannot start with a period (.), config., or service and must be unique. Also, the property name id or ID is not allowed.

   For more information about the <jaasLoginContextEntry>, <jaasLoginModule>, <options>, and <library> elements, see Configuration elements in server.xml.

Subtopics

• Configure JAAS on the Liberty profile using developer tools
  We can configure a JAAS configuration (system.WEB_INBOUND) with a custom login module for the Liberty profile by editing the configuration. You do not have to configure JAAS unless to customize it.

Parent topic: Authenticate users

Concepts:

Authentication

Tasks:

Develop JAAS custom login modules for a system login configuration