Authentication mechanisms

 

An authentication mechanism defines rules about security information (for example, whether a credential is forwardable to another Java process), and the format of how security information is stored in both credentials and tokens.

Authentication is the process of establishing whether a client is valid in a particular context. A client can be either an end user, a machine, or an application.

An authentication mechanism in WebSphere Application Server typically collaborates closely with a User Registry. The user registry is the user and groups account repository that the authentication mechanism consults with when performing authentication. The authentication mechanism is responsible for creating a credential, which is an internal product representation of a successfully authenticated client user. Not all credentials are created equally. The abilities of the credential are determined by the configured authentication mechanism.

Although this product provides several authentication mechanisms, you can only configure a single active authentication mechanism at a time. The active authentication mechanism is selected when configuring WebSphere global security.

 

Authentication Process

Authentication is required for enterprise bean clients and Web clients when they access protected resources.

Enterprise bean clients (a servlet or other enterprise beans or a pure client) sends the authentication information to a Webapp server using the CSIv2 or SAS protocols.

Web clients use the HTTP or HTTPS protocol to send the authentication information. The authentication information can be BasicAuth (user ID and password), credential token (in case of LTPA), or client certificate. The Web authentication is performed by the WebAuthentication module and the EJB authentication is performed by the EJB authentication module, which resides in the CSIV2 and SAS layer.

The authentication module is implemented using the JAAS login module. WebAuthenticator and EJBAuthenticator pass the authentication data to the login module (2) which can be either Lightweight Third Party Authentication (LTPA) or Simple WebSphere Authentication Mechanism (SWAM).

The authentication module uses the registry that is configured on the system to perform the authentication (4). There are three types of registries supported: Local OS, Lightweight Directory Access Protocol , and custom registry. External registry implementation following the registry interface specified by IBM can replace either the Local OS or the LDAP registry.

The login module creates a JAAS subject after authentication and stores the Common Object Request Broker Architecture credential derived from the authentication data in the public credentials list of the subject. The credential is returned to the Web authenticator or EJB authenticator (5).

The Web authenticator and the EJB authenticator store the received credentials in the ORB current for the authorization service to use in performing further access control checks.

The WebSphere Application Server provides two authentication mechanisms: SWAM and LTPA. These two authentication mechanisms differ primarily in the distributed security features each supports.


 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.