and Authorization Service

Java Authentication and Authorization Service (JAAS) is a new feature in WAS. JAAS is WAS strategic API for authentication that replaces the Common Object Request Broker Architecture (CORBA) programmatic login API.

WAS provides some extensions to JAAS:

Tip: Do not remove or delete the predefined JAAS login configurations (ClientContainer, WSLogin and DefaultPrincipalMapping). Deleting or removing them can cause other enterprise apps to fail.

A system administrator determines the authentication technologies, or login modules, to use for each application and configures them in a login configuration. The source of the configuration information, for example, a file or a database, is up to the current javax.security.auth.login.Configuration implementation. The WAS implementation permits the definition of the login configuration in both the WAS configuration API security document and in a JAAS configuration file, where the former takes precedence. JAAS login configurations are defined in the API security document for WAS configuration for applications to use. To access the configurations...

  1. Click...

      Security | Global security

  2. Under Java Authentication and Authorization Service, click Application logins.

The WSLogin module defines a login configuration and the LoginModule implementation that can be used by applications in general.

The ClientContainer module defines a login configuration and the LoginModule implementation that is similar to the WSLogin module, but enforces the requirements of the WAS client container.

The DefaultPrincipalMapping module defines a special LoginModule that is typically used by Java 2 Connector to map an authenticated WAS user identity to a set of user authentication data (user ID and password) for the specified back-end enterprise information system (EIS).

See about Java 2 Connector and the DefaultMappingModule, see the Java 2 Security section.

A new JAAS login configuration can be added and modified using the admin console. The changes are saved in the cell-level security document and are available to all managed appservers. An application server restart is required for the changes to take effect at runtime and for the client container login configuration to be made available.

WAS also reads JAAS configuration information from the wsjaas.conf file under the properties subdirectory of the root directory under which WAS is installed. Changes made to the wsjaas.conf file are used only by the local appserver and take effect after the appserver restarts. The JAAS configuration in the WAS configuration API security document takes precedence over that defined in the wsjaas.conf file. A configuration entry in the wsjaas.conf is overridden by an entry of the same alias name in the WAS configuration API security document.

The Java Authentication and Authorization Service (JAAS) login configuration entries in the admin console are propagated to the server runtime when they are created, not when the configuration is saved. However, the deleted JAAS login configuration entries are not removed from the server runtime. To remove the entries, save the new configuration, then stop and restart the server.

 

Example

The Samples Gallery provides a JAAS login sample that demonstrates how to use JAAS with WAS. The sample uses a server-side login with JAAS to authenticate a user with the security runtime for WAS. The sample demonstrates the following technology:

The form login sample is a component of the technology samples.

See on how to access the form login sample, see Accessing the Samples (Samples Gallery).



 

Related tasks


Set programmatic logins for Java Authentication and Authorization Service