(zos)Writing a custom System Authorization Facility (SAF) mapping module with non-local operating system
We can customize Java Authentication and Authorization (JAAS) login configurations by writing a customized login mapping module.
The WebSphere Application Server ltpaLoginModule module and the AuthenLoginModule module use the shared state to save state information with the capability to allow LoginModules can modify state information. The ltpaLoginModule initializes the callback array in the login() method using the following code. The callback array is created by ltpaLoginModule only if an array is not defined in the shared state area.
For the SAF distributed identity mapping feature, we do not need to configure a mapping module.
If a non-local operating system registry is configured and the Authorization option is selected, install a mapping class followed by the com.ibm.ws.security.common.auth.module.MapPlatformSubject login module. A sample mapping class, com.ibm.websphere.security.SampleSAFMappingModule, is shipped with WebSphere Application Server and can be used as a starting point. The mapping class must be placed in the JAAS configuration to provide mapping from a registry other than local operating system to a SAF user ID prior to enabling administrative security. The Authorization option is accessible by completing the following steps:
- Click Security > Global security.
- Under Additional properties, click z/OS SAF properties.
What to do next
See other articles about JAAS and SAF.
Related concepts
Custom System Authorization Facility mapping modules Distributed identity mapping using SAF
Related tasks
Configure a custom System Authorization Facility mapping module for WebSphere Application Server Develop programmatic logins with the Java Authentication and Authorization Service Update system login configurations to perform a System Authorization Facility identity user mapping Configure programmatic logins for Java Authentication and Authorization Service