Customizing a server-side Java Authentication and Authorization Service authentication and login configuration


WAS supports plugging in a custom JAAS login module before or after the WAS system login module. However, WAS does not support the replacement of the WAS system login modules, which are used to create the WSCredential credential and WSPrincipal principal in the Subject. By using a custom login module, we can either make additional authentication decisions or add information to the Subject to make additional, potentially finer-grained, authorization decisions inside a Java EE application.

WAS enables you to propagate information downstream that is added to the Subject by a custom login module.

See Security attribute propagation. To determine which login configuration to use for plugging in the custom login modules, see the descriptions of the login configurations that are located in the System login configuration entry settings for Java Authentication and Authorization Service.

WAS supports the modification of the system login configuration through the admin console and by using the wsadmin scripting utility. To configure the system login configuration using the admin console, click Security > Global security. Under Java Authentication and Authorization Service, click System logins.

 

 

Next steps

The application name and the HttpServletRequest object might be read by the custom login module to perform mapping functions. The error page of the form-based login might be modified by a custom login module. In addition to the JAAS framework, WAS supports the trust association interface (TAI).

Other credential types and information can be added to the caller Subject during the authentication process using a custom login module. The third-party credentials in the caller Subject are managed by WAS as part of the security context. The caller Subject is bound to the running thread during the request processing. When a Web or an EJB module is configured to use the caller identity, the user identity is propagated to the downstream service in an EJB request. The WSCredential credential and any third-party credentials in the caller Subject are not propagated downstream. Instead, some of the information can be regenerated at the target server based on the propagated identity. Add third-party credentials to the caller Subject at the authentication stage. The caller Subject, which is returned from the WSSubject.getCallerSubject method, is read-only and cannot be modified.

See on the WSSubject subject, see Getting the caller subject from the thread.


Getting the caller subject from the thread
Getting the RunAs subject from the thread
Overriding the RunAs subject on the thread
Revoking users from a cache

 

Related concepts


Security attribute propagation

 

Related tasks


Getting the caller subject from the thread

 

Related


System login configuration entry settings for Java Authentication and Authorization Service