+

Search Tips   |   Advanced Search

Develop programmatic logins with the Java Authentication and Authorization Service

JAAS replaces the Common Object Request Broker Architecture (CORBA) programmatic login APIs.

WebSphere Application Server provides some extension to JAAS:

Set com.ibm.CORBA.validateBasicAuth=false whenever connecting to a z/OS server. This function does not currently work from a distributed client to a z/OS server because the SecurityServer is located using the UNAUTHENTICATED principal, which is not accepted on a z/OS system.

  1. Use the sas.client.props file and look for the following properties:
    com.ibm.CORBA.securityServerHost=myhost.mydomain
    com.ibm.CORBA.securityServerPort=mybootstrap port
    If we specify these properties, you are guaranteed that security looks here for the SecurityServer. The host and port specified can represent any valid WebSphere host and bootstrap port. The SecurityServer resides on all server processes and therefore it is not important which host or port you choose. If specified, the security infrastructure within the client process look up the SecurityServer based on the information in the sas.client.props file.

  2. Place the following code in the client application to get a new InitialContext():
    ...
       import java.util.Hashtable;
       import javax.naming.Context;
       import javax.naming.InitialContext;
       ...
       
    // Perform an InitialContext and default lookup prior to logging 
    // in so that target realm and bootstrap host/port can be 
    // determined for SecurityServer lookup.
       
          Hashtable env = new Hashtable();
          env.put(Context.INITIAL_CONTEXT_FACTORY, "
                  com.ibm.websphere.naming.WsnInitialContextFactory");
          env.put(Context.PROVIDER_URL, 
                  "corbaloc:iiop:myhost.mycompany.com:2809");
          Context initialContext = new InitialContext(env);
          Object obj = initialContext.lookup("");
    
       // programmatic login code goes here.
    Complete this step prior to running any programmatic login. It is in this code specified a URL provider for your naming context, but it must point to a valid WebSphere Application Server within the cell to which we are authenticating. Pointing to one cell allows thread specific programmatic logins going to different cells to have a single system-wide SecurityServer location.

  3. Use the new default InitialContext() method relying on the naming precedence rules described in the example of getting the default initial context.


Example: Programmatic logins using BasicAuth

This example illustrates how application programs can perform a programmatic login using BasicAuth.

Add Programmatic logins with Kerberos token:

LoginContext lc = null;
            
 try {
       lc = new LoginContext("WSKRB5Login",
                  new WSCallbackHandlerImpl("userName", "password"));
 } catch (LoginException le) {
        System.out.println("Cannot create LoginContext. " + le.getMessage());
        // Insert the error processing code 
 } catch(SecurityException se) {
        System.out.println("Cannot create LoginContext." + se.getMessage());
        // Insert the error processing code   }

  try {
         lc.login(); 
  } catch(LoginException le) {
         System.out.println("Fails to create Subject. " + le.getMessage());
          // Insert the error processing code 

As shown in the example, the new login context is initialized with the WSKRB5Login login configuration and the WSCallbackHandlerImpl callback handler. Use the WSCallbackHandlerImpl instance on a server-side application where we do not want to be prompted. A WSCallbackHandlerImpl instance is initialized by the specified user ID, password, and realm information. The present Krb5LoginModuleWrapperClient class implementation specified by the WSKRB5Login login configuration can only retrieve authentication information from the specified callback handler. We can construct a login context with a Subject object, but the Subject is disregarded by the present Krb5LoginModuleWrapperClient implementation.

For a pure Java application client, the product provides two other callback handler implementations: WSStdinCallbackHandlerImpl and WSGUICallbackHandlerImpl, which prompt for user ID, password, and realm information on the command line and pop-up panel, respectively. We can choose either of these product callback handler implementations, depending on the particular application environment. We can develop a new callback handler if neither of these implementations fit your particular application requirement.

There are additional callbacks that can be used with WSKRB5Login, WSAuthMechOidCallbackImpl and WSCcacheCallBackHandlerImpl. WSAuthMechOidCallbackImpl enabls you to specify the authentication mechanism OID, the Kerberos authentication mechanism OID value is "1.2.840.113554.1.2.2". The WSCcacheCallBackHandlerImpl enables you to specify the user name, Kerberos realm name, the Kerberos credential cache full path and whether to use the default location of the Kerberos credential cache. If we choose to use the default location of the Kerberos credential cache, then the Kerberos credential cache is ignored. If we are using Kerberos for authentication, then we have to update the sas.client.props file.

You also can develop our own login module if the default WSLoginModuleImpl implementation fails to meet all the requirements. This product provides utility functions that the custom login module can use, which are described in the next section.

(dist)(zos) In cases where no java.naming.provider.url property is set as a system property or in the jndi.properties file, a default InitialContext context does not function if the product server is not at the localhost:2809 location. In this situation, construct a new InitialContext context programmatically ahead of the JAAS login. JAAS needs to know where the security server resides to verify that the entered user ID or password is correct, prior to performing a commit method. By constructing a new InitialContext context in the way specified later in this topic, the security code has the information needed to find the security server location and the target realm.

(iseries) In cases where no java.naming.provider.url property is set as a system property or in the jndi.properties file, a default InitialContext context does not function if the product server is not at the sever_name:2809 location. In this situation, construct a new InitialContext context programmatically ahead of the JAAS login. JAAS needs to know where the security server resides to verify that the entered user ID or password is correct, prior to performing a commit method. By constructing a new InitialContext context in the way specified later in this topic, the security code has the information needed to find the security server location and the target realm.

The first line starting with env.put was split into two lines for illustration purposes only.

import java.util.Hashtable;
   import javax.naming.Context;
   import javax.naming.InitialContext;
   ...
   
// Perform an InitialContext and default lookup prior to logging in so that target realm
// and bootstrap host/port can be determined for SecurityServer lookup.
   
   Hashtable env = new Hashtable();
   env.put(Context.INITIAL_CONTEXT_FACTORY, 
           "com.ibm.websphere.naming.WsnInitialContextFactory");
   env.put(Context.PROVIDER_URL, "corbaloc:iiop:myhost.mycompany.com:2809");
   Context initialContext = new InitialContext(env);
   Object obj = initialContext.lookup("");
   
    LoginContext lc = null;
    try {
       lc = new LoginContext("WSLogin",
                  new WSCallbackHandlerImpl("userName", "realm", "password"));
    } catch (LoginException le) {
        System.out.println("Cannot create LoginContext. " + le.getMessage());
        // insert error processing code 
    } catch(SecurityException se) {
        System.out.printlin("Cannot create LoginContext." + se.getMessage();
        // Insert error processing 
    }

    try {
         lc.login(); 
    } catch(LoginException le) {
         System.out.printlin("Fails to create Subject. " + le.getMessage());
          // Insert error processing code     }


Subtopics


Related concepts

  • Programmatic login for JAAS


    Related tasks

  • Customize application login with Java Authentication and Authorization Service
  • Configure programmatic logins for Java Authentication and Authorization Service
  • Develop applications that use CosNaming (CORBA Naming interface)

  • Example: Getting an initial context by setting the provider URL property
  • Security: Resources for learning