Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop security > Develop extensions to the WebSphere security infrastructure > Implement a custom authentication provider using JASPI
Configure a new JASPI authentication provider
We can configure a new Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain by .
This release of WAS supports integration of message authentication providers that are compliant with the JASPI for Containers v1.0 specification.
When JASPI authentication providers are configured, and WAS receives an HTTP request message, the security runtime environment determines if the target application is configured to use JASPI authentication. If so, the runtime environment invokes the selected authentication provider to validate the received message. Otherwise, authentication of the message request is done according to the authentication mechanism provided by WAS for the appropriate messaging layer.
To use JASPI message authentication services, supply an implementation of the required interfaces as defined in the JASPI specification. Read Develop a custom JASPI authentication provider for more information on these interfaces.
Authentication of HTTP request and response messages destined for JASPI-enabled deployed applications is performed according to the requirements of the Servlet Container Profile specified in the new specification.
JASPI is supported in a mixed-cell environment, but can only be used in nodes that are version 8 or higher. Back-level nodes use existing authentication mechanisms.
To configure a new JASPI authentication provider , do the following:
Procedure
- Click Security > Global security.
- Select Enable Java Authentication SPI (JASPI) to enable support for JASPI authentication.
- Click Providers.
It is not necessary to select Enable Java Authentication SPI (JASPI) until after we have configured a new JASPI authentication provider.
The Default provider option is used to specify a single JASPI authentication provider to perform authentication for all web modules when JASPI authentication is enabled, and you do not override the web module to JASPI provider mapping during application deployment. During application deployment, you can override the default for every web module where it does not apply by choosing not to use JASPI or by naming a different provider to use for authentication. However, it is not recommended that you use this option unless you are certain that your default provider is capable of handling all types of web authentication (basic authentication, form authentication and client certificate authentication). bprac
- Click New.
- Enter a name that uniquely identifies the JASPI authentication provider in the Provider name field.
- Optional: Enter a textual description of the authentication provider in the Description field.
- Enter the package-qualified name of the class that implements the authentication provider interface (javax.security.auth.message.config.AuthConfigProvider) in the Class name field.
In the Message layer field, WAS v8.0 supports only the HttpServlet message layer profile as defined in the JASPI specification. We cannot change this value.
- Optional: Under Custom Properties, click New if you require more than one property. This parameter is a list of key/value pairs.
- Click OK.
What to do next
We can also configure a new JASPI authentication provider by using wsadmin.sh commands. Read JaspiManagement command group for more information.
Verify that your server has been restarted so that the changes to configure the JASPI provider will take effect.
Develop a custom JASPI authentication provider
Modify an existing JASPI authentication provider
Enable JASPI authentication using the Map JASPI provider option during application deployment
Delete a JASPI authentication provider
Implement a custom authentication provider using JASPI
Related
JaspiManagement command group
JASPI authentication providers collection
JASPI authentication provider details
JASPI authentication enablement for applications