+

Search Tips   |   Advanced Search

Customize a server-side Java Authentication and Authorization Service authentication and login configuration

WebSphere Application Server supports plugging in a custom JAAS login module before or after the WAS system login module. However, WAS does not support the replacement of the WAS system login modules, used to create the WSCredential credential and WSPrincipal principal in the Subject. By using a custom login module, we can either make additional authentication decisions or add information to the Subject to make additional, potentially finer-grained, authorization decisions inside a Java EE application.

WebSphere Application Server enables you to propagate information downstream added to the Subject by a custom login module. For more information, see Security attribute propagation. To determine which login configuration to use for plugging in the custom login modules, see the descriptions of the login configurations that are located in the System login configuration entry settings for Java Authentication and Authorization Service.

WebSphere Application Server supports the modification of the system login configuration through the console and using the wsadmin scripting utility. To configure the system login configuration using the console, click Security > Global security. Under Java Authentication and Authorization Service, click System logins.


What to do next

The application name and the HttpServletRequest object might be read by the custom login module to perform mapping functions. The error page of the form-based login might be modified by a custom login module. In addition to the JAAS framework, WebSphere Application Server supports the trust association interface (TAI).

Other credential types and information can be added to the caller Subject during the authentication process by using a custom login module. The third-party credentials in the caller Subject are managed by WebSphere Application Server as part of the security context. The caller Subject is bound to the running thread during the request processing. When a web or an EJB module is configured to use the caller identity, the user identity is propagated to the downstream service in an EJB request. The WSCredential credential and any third-party credentials in the caller Subject are not propagated downstream. Instead, some of the information can be regenerated at the target server based on the propagated identity. Add third-party credentials to the caller Subject at the authentication stage. The caller Subject, which is returned from the WSSubject.getCallerSubject method, is read-only and cannot be modified. For more information on the WSSubject subject, see Get the caller subject from the thread for JAAS.


Subtopics


Related concepts

  • Security attribute propagation


    Related tasks

  • Get the caller subject from the thread for JAAS

  • System login configuration entry settings for Java Authentication and Authorization Service