Java 2 Connector security
Java 2 Connector authentication data entries are used by resource adapters and JDBC data sources. A Java 2 Connector authentication data entry contains authentication data.
The connector architecture defines a standard architecture for connecting the Java 2 Platform, Enterprise Edition (J2EE) to heterogeneous enterprise information systems (EIS). Examples of EIS include Enterprise Resource Planning (ERP), mainframe transaction processing (TP) and database systems.
The connector architecture enables an EIS vendor to provide a standard resource adapter for its EIS. A resource adapter is a system-level software driver that is used by a Java application to connect to an EIS. The resource adapter plugs into an appserver and provides connectivity between the EIS, the application server, and the enterprise application. You must protect information in EIS from unauthorized access. The Java 2 Connector security architecture is designed to extend the end-to-end security model for J2EE-based applications to include integration with EISs. An application server and an EIS collaborate to ensure the proper authentication of a resource principal, which establishes a connection to an underlying EIS. The connector architecture identifies the following mechanisms as the commonly-supported authentication mechanisms...
- BasicPassword: Basic user-password-based authentication mechanism specific to an EIS
- Kerbv5: Kerberos Version 5-based authentication mechanism
WAS implementation of a Java 2 connection supports basic password authentication mechanisms.
The user ID and password for the target EIS is either supplied by applications or by the appserver. WAS uses a JAAS pluggable authentication mechanism to perform principal mapping to convert a WebSphere principal to a resource principal. WAS provides a DefaultPrincipalMapping LoginModule, which basically converts any authenticated principal to the pre-configured EIS resource principal and password. Subsequently, you can plug in a principal mapping LoginModule through the JAAS plug-in mechanism.
J2C mapping module configurationWhen a Java 2 connection factory is configured for container-managed signon, WAS uses the configured principal mapping module to create a Subject instance that contains a user ID and a password for the target EIS.
Mapping modules are special JAAS login modules that provide principal and credential mapping functionality. You can define and configure custom mapping modules through the administrative console. Associated with the mapping module configuration is a set of user IDs and passwords that you can define in the security configuration with a specified alias name. The WAS run time passes the user ID, password and a reference of the connection factory manager to the configured mapping module to create a subject.
For more information about mapping module requirements, refer to the Javadoc of the WSDefaultPrincipalMapping class. For more detailed information about developing a mapping module, refer to the
J2C mapping module programming reference
You can develop your own mapping module if your application requires more sophisticated mapping functions. Use the WSSubject.getRunAsSubject() method to retrieve the subject that represents the identity of the current thread of execution. The identity of the current thread of execution is known as the RunAs identity. The RunAs subject typically contains a WSPrincipal in the principal set and a WSCredential in the public credential set. The subject instance that is created by your mapping module contains a Principal instance in the principals set and a PasswordCredential or GenericCredential instance in the set of private credentials.