J2EE connector security
The J2EE connector architecture defines a standard architecture for connecting the J2EE to heterogeneous enterprise information systems (EIS). Examples of EIS include...
- Enterprise Resource Planning (ERP)
- mainframe transaction processing (TP)
- database systems
The connector architecture enables an EIS vendor to provide a standard resource adapter for its EIS. A resource adapter is a system-level software driver that is used by a Java application to connect to an EIS. The resource adapter plugs into an appserver and provides connectivity between the EIS, the appserver, and the enterprise application. Accessing information in EIS typically requires access control to prevent unauthorized accesses. J2EE applications must authenticate to the EIS to open a connection to it.
The J2EE Connector security architecture is designed to extend the end-to-end security model for J2EE-based applications to include integration with EISs. An appserver and an EIS collaborate to ensure the proper authentication of a resource principal, which establishes a connection to an underlying EIS. The connector architecture identifies the following mechanisms as the commonly-supported authentication mechanisms, although other mechanisms can be defined:
BasicPassword Basic user-password-based authentication mechanism that is specific to an EIS Kerbv5 Kerberos V5-based authentication mechanism
Applications define whether to use application-managed signon or container-managed signon in the resource-ref elements in the deployment descriptor. Each resource-ref element describes a single connection factory reference binding. The res-auth element in a resource-ref element, whose value is either Application or Container, indicates whether the enterprise bean code can perform signon or whether WAS can signon to the resource manager using the principal mapping configuration. The resource-ref element is typically defined at application assembly time with an assembly tool such as the Application Server Toolkit (AST) or Rational Web Developer.assembly tool. The resource-ref can also be defined, or redefined, at deployment time.
Application managed signon
To access an EIS system, applications locate a connection factory from the JNDI namespace and invoke the getConnection method on that connection factory object. The getConnection method might require a user ID and password argument. A J2EE application can pass in a user ID and password to the getConnection method, which subsequently passes the information to the resource adapter. Specifying a user ID and password in the application code has some security implications, however.
The user ID and password, if coded into the Java source code, are available to developers and testers in the organization. Also, the user ID and password are visible to users if they decompile the Java class.
The user ID and password cannot be changed without first requiring a code change. Alternatively, application code might retrieve sets of user IDs and passwords from persistent storage or from an external service. This approach requires that IT administrators configure and manage a user ID and password using the application-specific mechanism.
WAS supports a component-managed authentication alias to be specified on a resource. This authentication data is common to all references to the resource. On the panel...
Resources | Resource Adapters | J2C connection factories | configuration_name...select Use component-managed authentication alias. When res-auth=Application, the authentication data is taken from the following elements, in order:
- The user ID and password that are passed to the getConnection method
- The component-managed authentication alias in the connection factory or the data source
- The custom properties user name and password in the data source
The user name and password properties can be initially defined in the resource adapter archive (RAR) file.
These properties can also be defined in the console or with wsadmin scripting under custom properties.
Container-managed signon
The user ID and password for the target enterprise information systems (EIS) can be supplied by the appserver. WAS provides container-managed signon functionality. The Application Server locates the proper authentication data for the target EIS to enable the client to establish a connection. Application code does not have to provide a user ID and password in the getConnection call when it is configured to use container-managed signon, nor does authentication data have to be common to all references to a resource. WAS uses a JAAS pluggable authentication mechanism to use a pre-configured JAAS login configuration, and LoginModule to map a client security identity and credentials on the running thread to a pre-configured user ID and password.
WAS ships a default many-to-one credential mapping LoginModule module that maps any client identity on the running thread to a preconfigured user ID and password for a specified target EIS. The default mapping module is a special purpose JAAS LoginModule module that returns a PasswordCredential credential that is specified by the configured Java 2 Connector (J2C) authentication data entry. The default mapping LoginModule module performs a table lookup, but does not perform actual authentication. The user ID and password are stored together with an alias in the J2C Authentication data list.
The J2C Authentication data list is located on the Secure administration, applications, and infrastructure panel under Java Authentication and Authorization Service > J2C Authentication data. The default principal and credential mapping function is defined by the DefaultPrincipalMapping application JAAS login configuration.
J2C Authentication data that is modified using the console takes effect when the modification is saved into the repository and TestConnection is performed. Also, J2C Authentication data that is modified using wsadmin scripting takes effect when any application is started or restarted for a given server process. J2C Authentication Data modification takes effect by invoking the SecurityAdmin MBean method, updateAuthDataCfg. Set the HashMap parameter to null to enable the Securityadmin MBean to refresh the J2C Authentication data using the latest values in the repository.
Do not modify the DefaultPrincipalMapping login configuration because WAS added performance enhancements to this frequently used default mapping configuration. WAS does not support modifying the DefaultPrincipalMapping configuration, changing the default LoginModule module, or stacking a custom LoginModule module in the configuration.
For most systems, the default method with a many-to-one mapping is sufficient. However, WAS does support custom principal and credential mapping configurations. Custom mapping modules can be added to the application logins JAAS configuration by creating a new JAAS login configuration with a unique name. For example, a custom mapping module can provide one-to-one mapping or Kerberos functionality.
You also can use the console to bind the resource manager connection factory references to one of the configured resource factories. If the value of the res-auth element is Container within the deployment descriptor for your application, specify the mapping configuration. To specify the mapping configuration, use the Resource references link under References on the panel...
Applications | Enterprise applications | application
J2C mapping modules and mapping properties
Mapping modules are special JAAS login modules that provide principal and credential mapping functionality. You can define and configure custom mapping modules using the console.
You also can define and pass context data to mapping modules by using login options in each JAAS login configuration. In WAS, you also can define context data using mapping properties on each connection factory reference binding.
Login options that are defined under each JAAS login configuration are shared among all resources that use the same JAAS login configuration and mapping modules. Mapping properties that are defined for each connection factory reference binding are used exclusively by that resource reference.
Consider a usage scenario where an external mapping service is used.
For example, you might use the Tivoli Access Manager Global Sign-On (GSO) service. Use the Tivoli Access Manager GSO to locate authentication data for both back-end servers.
You have two EIS servers: DB2 and MQ. The authentication data for DB2 is different from that for MQ, however. Use the login option in a mapping JAAS login configuration to specify the parameters that are required to establish a connection to the Tivoli Access Manager GSO service. Use the mapping properties in a connection factory reference binding to specify which EIS server requires the user ID and password.
For more detailed information about developing a mapping module, see the J2C principal mapping modules article.
- WAS Vconfigures container-managed signon under each enterprise application. This action is different than WAS V5, which configures container-managed signon for each connection factory.
- The deprecated way of configuration at the panel...
Resources | Resource Adapters | J2C connection factories | configuration_name...still works in WAS V6.1. The advantage to configuring at this level is that the configuration has an application scope and is not visible to other applications. However, the mapping configuration that is defined at this level is visible to other applications.
- The mapping configuration at the connection factory has moved to the resource manager connection factory reference. The mapping login modules that are developed using WAS V5 JAAS callback types can be used by the resource manager connection factory reference, but the mapping login modules cannot take advantage of the custom mapping properties feature.
- Connection factory reference binding supports mapping properties, and passes those properties to mapping login modules by way of a new WSMappingPropertiesCallback callback. In addition, the WSMappingPropertiesCallback callback and the new WSManagedConnectionFactoryCallback callback are defined in the com.ibm.wsspi package. Use the new mapping login modules with the new callback types.
Related concepts
Programmatic login
Related Reference
J2C principal mapping modules