Set programmatic logins for Java Authentication and Authorization Service


Overview

A new JAAS login configuration can be set using the admin console. The changes are saved in the cell-level security document and are available to all managed appservers.

JAAS is a collection of WAS strategic authentication APIs and replaces CORBA programmatic login APIs.

WAS extensions to JAAS...

JAAS login configurations are defined in the WAS configuration API security document...

Security | Global security | Java Authentication and Authorization Service | Application logins

The following JAAS login configurations are available:

ClientContainer Defines a login configuration and a LoginModule implementation that is similar to that of the WSLogin configuration, but enforces the requirements of the WAS client container.
DefaultPrincipalMapping, Defines a special LoginModule module that is typically used by Java EE connectors to map an authenticated WAS user identity to a set of user authentication data (user ID and password) for the specified back-end enterprise information system.
WSLogin Defines a login configuration and a LoginModule implementation that applications can use in general.

A new JAAS login configuration can be added and modified using the admin console. The changes are saved in the cell-level security document and are available to all managed appservers. An appserver restart is required for the changes to take effect at run time.

Do not remove or delete the predefined JAAS login configurations (such as, ClientContainer, WSLogin, and DefaultPrincipalMapping). Deleting or removing them can cause other enterprise apps to fail.

 

  1. Delete a JAAS login configuration.

    1. Click...

        Security | Global security

    2. Under Java Authentication and Authorization Service, click Application logins. The Application Login Configuration panel is displayed.

    3. Select the check box for the login configurations to delete and click Delete.

  2. Create a new JAAS login configuration.

    1. Click...

        Security | Global security

    2. Under Java Authentication and Authorization Service, click Application logins.

    3. Click New. The Application Login Configuration panel is displayed.

    4. Specify the alias name of the new JAAS login configuration and click Apply. This value is the name of the login configuration that you pass in the javax.security.auth.login.LoginContext implementation for creating a new LoginContext context.

      Click Apply to save changes and to add the extra node name that precedes the original alias name. Clicking OK does not save the new changes in security.xml.

    5. Under Additional properties, click JAAS Login Modules.

    6. Click New.

    7. Specify the Module class name. Specify the WAS proxy LoginModule module because of the limitation of the class loader visibility.

    8. Specify the LoginModule implementation as the delegate property of the Proxy LoginModule module. The WAS proxy LoginModule class name is com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy.

    9. Select Authentication strategy from the list and click Apply.

    10. Under Additional properties, click Custom properties.

      The Custom properties panel is displayed for the selected LoginModule.

    11. Create a new property with the name delegate and the value of the real LoginModule implementation. We can specify other properties like debug with the true value. These properties are passed to the LoginModule class as options to the initialize method of the LoginModule instance.

    12. Click Save.

      For an ND installation, make sure that a file synchronization operation is performed to propagate the changes to other nodes.

    Several locations are within the WAS directory structure where we can place a JAAS login module.

    The following list provides locations for the JAAS login module in order of recommendation:

    • Within an EAR file for a specific Java EE application.

      If we place the login module within the EAR file, the login module is accessible by the specific application only.

    • In the WAS-shared library.

      If we place the login module in the shared library, specify which applications can access the module.

      See on shared libraries, see Managing shared libraries.

    • In the Java extensions directory.

      If we place the JAAS login module in the Java extensions directory, the login module is available to all applications.

    Although the Java extensions directory provides the greatest availability for the login module, place the login module in an application EAR file. If other applications need to access the same login module, consider using shared libraries.

  3. Change the plain text file.

    WAS supports the default JAAS login configuration format, which is a plain text file, that is provided by the JAAS default implementation. However, a tool is not provided that edits plain text files in this format. We can define the JAAS login configuration in the plain text file, which is located in...

    APP_ROOT/properties/wsjaas.conf

    Any syntax errors can cause the incorrect parsing of the plain JAAS login configuration text file. This problem can cause other applications to fail. Java client programs that use the JAAS for authentication must invoke with the JAAS configuration file specified. This configuration file is set in...

    APP_ROOT/bin/launchClient.bat

    ...as...

    set JAAS_LOGIN_CONFIG=-Djava.security.auth.login.config=%install_root%\properties\wsjaas_client.conf

    If the launchClient.bat file is not used to invoke the Java client program, verify that the appropriate JAAS configuration file is passed to the Java virtual machine with the flag...

    -Djava.security.auth.login.config

 

Results

A new JAAS login configuration is created or an old JAAS login configuration is removed. An enterprise application can use a newly created JAAS login configuration without restarting the appserver process.

However, new JAAS login configurations defined in the APP_ROOT/properties/wsjaas.conf file, do not refresh automatically. Restart the appservers to validate changes. These JAAS login configurations are specific to a particular node and are not available for other appservers running on other nodes.

 

Next steps

Create new JAAS login configurations that are used by enterprise applications to perform custom authentication. Use these newly defined JAAS login configurations to perform programmatic login.


Login configuration for Java Authentication and Authorization Service
Configuration entry settings for Java Authentication and Authorization Service
System login configuration entry settings for Java Authentication and Authorization Service
Login module settings for Java Authentication and Authorization Service
Login module order settings for Java Authentication and Authorization Service
Login settings for Java Authentication and Authorization Service
Manage Java 2 Connector Architecture authentication data entries

 

Related concepts


J2EE connector security
Programmatic login for JAAS

 

Related tasks


Develop programmatic logins with the Java Authentication and Authorization Service
Manage shared libraries
Customizing application login with Java Authentication and Authorization Service