Develop programmatic logins with the Java Authentication and Authorization Service


JAAS replaces the CORBA programmatic login APIs. WAS provides some extension to JAAS:

Set com.ibm.CORBA.validateBasicAuth=false whenever connecting to a z/OS server. This function does not currently work from a distributed client to a z/OS server because the SecurityServer is located using the UNAUTHENTICATED principal, which is not accepted on a z/OS system.

 

  1. Use sas.client.props and look for the following properties:

    com.ibm.CORBA.securityServerHost=myhost.mydomain com.ibm.CORBA.securityServerPort=mybootstrap port
    
    If we specify these properties, we are guaranteed that security looks here for the SecurityServer. The host and port specified can represent any valid WebSphere host and bootstrap port. The SecurityServer resides on all server processes and therefore it is not important which host or port you choose. If specified, the security infrastructure within the client process look up the SecurityServer based on the information in sas.client.props.

  2. Place the following code in the client application to get a new InitialContext():

    ...
       import java.util.Hashtable;
        import javax.naming.Context;
        import javax.naming.InitialContext;
        ...
       
    
    // Perform an InitialContext and default lookup prior to logging 
    
    // in so that target realm and bootstrap host/port can be 
    
    // determined for SecurityServer lookup.
       
             Hashtable env = new Hashtable();
             env.put(Context.INITIAL_CONTEXT_FACTORY,       "
                  com.ibm.websphere.naming.WsnInitialContextFactory");
             env.put(Context.PROVIDER_URL,       
                  "corbaloc:iiop:myhost.mycompany.com:2809");
             Context initialContext = new InitialContext(env);
             Object obj = initialContext.lookup("");
    
          
    // programmatic login code goes here.
    
    
    Complete this step prior to running any programmatic login. It is in this code specified a URL provider for the naming context, but it must point to a valid WAS within the cell to which we are authenticating. Pointing to one cell allows thread specific programmatic logins going to different cells to have a single system-wide SecurityServer location.

  3. Use the new default InitialContext() method relying on the naming precedence rules. These rules are defined in the article, Example: Getting the default initial context.

 

Example

See the Example: Programmatic logins using BasicAuth article.


Example: Programmatic logins using BasicAuth

 

Related

Programmatic login for JAAS
Set programmatic logins for JAAS
Develop applications that use CosNaming (CORBA Naming interface)
Customizing application login with JAAS
Example: Getting an initial context by setting the provider URL property
Security: Links