Configure a new JASPI authentication provider using the administrative console
We can configure a new Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the administrative console.
This release of WAS supports integration of message authentication providers that are compliant with the JASPI for Containers Version 1.0 specification.
When JASPI authentication providers are configured, and WebSphere Application Server receives an HTTP request message, the security runtime environment determines if the target application is configured to use JASPI authentication. If so, the runtime environment invokes the selected authentication provider to validate the received message. Otherwise, authentication of the message request is done according to the authentication mechanism provided by WebSphere Application Server for the appropriate messaging layer.
To use JASPI message authentication services, supply an implementation of the required interfaces as defined in the JASPI specification. Read Develop a custom JASPI authentication provider for more information on these interfaces.
Authentication of HTTP request and response messages destined for JASPI-enabled deployed applications is performed according to the requirements of the Servlet Container Profile specified in the new specification.
JASPI is supported in a mixed-cell environment, but can only be used in nodes that are version 8 or higher. Back-level nodes use existing authentication mechanisms.
To configure a new JASPI authentication provider using the administrative console, do the following:
- Click Security > Global security.
- Select Enable Java Authentication SPI (JASPI) to enable support for JASPI authentication.
- Click Providers.
It is not necessary to select Enable Java Authentication SPI (JASPI) until after we have configured a new JASPI authentication provider.
Best practice: The Default provider option is used to specify a single JASPI authentication provider to perform authentication for all web modules when JASPI authentication is enabled, and we do not override the web module to JASPI provider mapping during application deployment. During application deployment, we can override the default for every web module where it does not apply by choosing not to use JASPI or by naming a different provider to use for authentication. However, it is not recommended that you use this option unless you are certain that the default provider is capable of handling all types of web authentication (basic authentication, form authentication and client certificate authentication). bprac
- Click New.
- Enter a name that uniquely identifies the JASPI authentication provider in the Provider name field.
- Optional: Enter a textual description of the authentication provider in the Description field.
- Enter the package-qualified name of the class that implements the authentication provider interface (javax.security.auth.message.config.AuthConfigProvider) in the Class name field.
In the Message layer field, WebSphere Application Server v8.5 supports only the HttpServlet message layer profile as defined in the JASPI specification. We cannot change this value.
- Optional: Under Custom Properties, click New if you require more than one property. This parameter is a list of key/value pairs.
- Click OK or Apply.
What to do next
We can also configure a new JASPI authentication provider by using wsadmin commands. Read JaspiManagement command group (AdminTask) for more information.
Verify that your server has been restarted so that the changes to configure the JASPI provider will take effect.
Related tasks
Develop a custom JASPI authentication provider Implement a custom authentication provider using JASPI Modify an existing JASPI authentication provider using the administrative console Enable JASPI authentication using the Map JASPI provider option during application deployment Delete a JASPI authentication provider using the administrative console
JaspiManagement (AdminTask) JASPI authentication providers collection JASPI authentication provider details JASPI authentication enablement for applications