Authentication is the process of establishing whether an end user, a machine, or an application is valid in a particular context. Authentication mechanisms define the rules about security information, and the format of how security information is stored in both credentials and tokens. Authentication mechanisms typically access user registries to obtain account information and create credentials.
WAS provides several authentication mechanisms, although only one can be active at any given time.
Authentication is required for enterprise bean and Web clients that access protected resources, with clients sending HTTP or HTTPS protocol authentication information to an appserver using either the CSIv2 or SAS protocol.
The authentication information can be BasicAuth, credential token, or client certificate. The Web authentication is performed by the Web Authentication module and the enterprise bean authentication is performed by the EJB authentication module, which resides in the CSIv2 and SAS layer.
The authentication module is implemented using the JAAS login module. The Web authenticator and the EJB authenticator pass the authentication data to the login module, which can be either LTPA or SWAM.
The authentication module uses the registry that is configured on the system to perform the authentication (4). Three types of registries are supported:
- custom registry
External registry implementation following the registry interface specified by IBM can replace either the LocalOS or the LDAP registry.
The login module creates a JAAS subject after authentication and stores the CORBA credential derived from the authentication data in the public credentials list of the subject. The credential is returned to the Web authenticator or EJB authenticator (5).
The Web authenticator and the EJB authenticator store the received credentials in the Object Request Broker current for the authorization service to use in performing further access control checks.
WAS provides two authentication mechanisms:
These authentication mechanisms differ primarily in the distributed security features that each supports.