Implement a custom authentication provider using JASPI
We can implement a custom authentication provider using Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) to handle the Java EE authentication of HTTP request and response messages destined for web applications.
For JASPI authentication processing to take place, application security must be enabled in the global or domain security configuration and the server must be restarted for the configuration changes to take effect. Read the Application security topic for more information.
This release of WAS supports the JSR 196: Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) specification, which enables third-party security providers to handle the Java EE authentication of HTTP request and response messages destined for web applications. The JASPI specification extends the pluggable authentication concepts of the JAAS to the authentication of HTTP request and response messages. When application security is enabled, and a protected web resource is accessed, the web container and the security runtime collaborate to make an authentication decision for the caller. When using a third-party JASPI provider, the authentication decision is delegated to that provider.
The JASPI specification defines standard system programming interfaces that enable developers to write a pluggable custom authentication provider that can handle Java EE web authentication mechanisms as well as any extended authentication processing. The WAS runtime uses these standard system programming interfaces to invoke the JASPI authentication provider. Read the Servlet Container Profile section in the JSR 196: Java Authentication Service Provider Interface for Containers specification for the requirements that third-party authentication providers must satisfy for more information.
If application security is enabled with JASPI authentication, when the web resource (such as a servlet or a JSP file) is accessed, the security runtime checks if the web resource is mapped to a JASPI provider defined in the security configuration. If so, the runtime invokes the JASPI authentication provider to perform authentication for the HTTP request and response messages.
To implement a custom authentication provider using JASPI you must do the following:
- Develop a custom JASPI authentication provider.
WebSphere Application Server provides support for the development of custom JASPI authentication providers to be used to perform authentication for the HTTP request and response messages destined for web applications. Read Develop a custom JASPI authentication provider for more information.
- Configure a new JASPI authentication provider.
WebSphere Application Server allows an administrator to enable JASPI authentication and to define a third-party JASPI authentication provider as part of the global or domain security configuration. Read Configure a new JASPI authentication provider using the administrative console for more information.
- Associate a JASPI authentication provider with an application or specific web modules.
During application deployment, the administrator or deployer can use the Map JASPI Provider option to associate web applications and specific web modules with an existing JASPI authentication provider as defined in the security configuration. This association can also be made when editing the options for an existing installed application. By default, an application inherits the JASPI settings defined in the WAS global or domain security configuration, and web modules inherit the application setting. The Map JASPI Provider option can be used to override these defaults. Read Enable JASPI authentication using the Map JASPI provider option during application deployment for more information.
Subtopics
- Develop a custom JASPI authentication provider
We can develop a custom Java Authentication SPI for Containers (JASPI) authentication provider by creating classes that implement the required interfaces noted in the JSR 196: Java Authentication Service Provider Interface for Containers specification.
- Configure a new JASPI authentication provider using the administrative console
We can configure a new Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the administrative console.
- Modify an existing JASPI authentication provider using the administrative console
We can modify and configure an existing Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the administrative console.
- Delete a JASPI authentication provider using the administrative console
We can delete an existing Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the administrative console.
- Enable JASPI authentication using the Map JASPI provider option during application deployment
An administrator or deployer can use the Map JASPI Provider option during application deployment to associate web applications and specific web modules with an existing Java Authentication SPI (JASPI) authentication provider as defined in the security configuration. This association can also be made when editing the options for a previously installed application.
- JASPI authentication providers collection
The Java Authentication Service Provider Interface (JASPI) for Containers Version 1.0 specification defines standard system programming interfaces that enable developers to write a pluggable custom authentication provider that can handle Java EE web authentication mechanisms as well as any extended authentication processing. The WAS runtime uses these standard system programming interfaces to invoke the JASPI authentication provider.
- JASPI authentication provider details
Use this page to provide configuration details for your custom Java Authentication SPI (JASPI) authentication service provider.
- JASPI authentication enablement for applications
Use this page to enable or disable Java Authentication SPI (JASPI) authentication for an application or web module, and to specify the name of a JASPI authentication provider to be used for authenticating messages for the application or web module.
Related concepts
Application security
Related tasks
Create new multiple security domains
JaspiManagement (AdminTask) JASPI authentication providers collection JASPI authentication provider details JASPI authentication enablement for applications
Related information:
JSR 196: Java Authentication Service Provider Interface for Containers