Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager > Provide security > Access virtual member manager through the user registry
WSCredential and virtual member manager access control
The WAS authentication process is based on the mechanism defined in javax.security.auth.login.LoginContext. In this authentication process, WAS provides a login module which implements the javax.security.auth.spi.LoginModule SPI interface. The login module is responsible for authenticating login principals.
WAS LoginModule is configured in the javax.security.auth.login.Configuration Java class with the WAS-defined name WSLogin. To start the authentication process, a new javax.security.auth.login.LoginContext object is instantiated with the LoginModule name WSLogin. With this specified name, the WAS LoginModule is invoked to call user registry APIs to authenticate the login principal. The WAS LoginModule may by-pass the call to the user registry, if the identifier and group membership has already been supplied as part of a Trust Authority Interceptor (TAI). The unique identifier of the subject is stored in the WSCredential of the subject. Virtual member manager instance based access control relies on the unique identifier of the principal and the group membership to determine role mapping and rule based access. The identifiers can come from the following sources:
- A user is authenticated by the WAS out-of-the-box LDAP UserRegistry adapter.
- A user is authenticated by the WAS out-of-the-box OS UserRegistry adapter.
- A user is authenticated by a WAS custom UserRegistry adapter.
- A user is authenticated by a TAI security proxy.
- A user is authenticated by the virtual member manager UR adapter.
Authentication rules
Because virtual member manager manages the login accounts, as well as, provides a User Registry interface to authenticate users, virtual member manager sees the user as both a subject and a resource. The virtual member manager instance based access control engine allows an authenticated subject authorized access to the resources in virtual member manager. In some cases the subject and the resource are the same. The following is an example of a self-care password rule:
- If the authenticate user is the owner of the login account (the identifier of the subject has the same identifier as the account), then the subject may change the password of the account.
The rule assumes that virtual member manager is configured as the User Registry for WAS authentication. However, you can use other forms of authentication (CUR, LDAP UR, TAI plug-in) that might not be using virtual member manager identifiers. If this occurs and the same repository used by the non-virtual member manager authentication method is also configured under virtual member manager as a virtual member manager repository, then the account object used to build the subject is known to virtual member manager.
If virtual member manager access control policy is built with the identifiers from the non-virtual member manager authentication platform, the virtual member manager role-based access control works, but rule-based access policy involving the Person or the Account objects are not granted permissions.
Rule-based conditional permissions containing virtual member manager resources as the subject (for example, if subject is the owner or if subject the manager) are granted, if virtual member manager compatible identifiers for the principal are used in WSCredential. Rule-based access to virtual member manager resources is available only when all the following conditions exist:
- virtual member manager is configured as the user registry , or as the alternate user registry.
- virtual member manager is configured to have the same identifiers (for example LDAP user registry is configured as a repository using DN as the identifier).
- virtual member manager is configured with a realm that contains the same LDAP server identified by the DN.
Parent topic: Access virtual member manager through the user registry