WAS v8.5 > Develop applications > Develop security > Develop extensions to the WebSphere security infrastructure > Implement a custom authentication provider using JASPI

Configure a new JASPI authentication provider

We can configure a new Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the dmgr console. This release of WebSphere Application Server supports integration of message authentication providers that are compliant with the JASPI for Containers v1.0 specification.

When JASPI authentication providers are configured, and WAS receives an HTTP request message, the security runtime environment determines if the target application is configured to use JASPI authentication. If so, the runtime environment invokes the selected authentication provider to validate the received message. Otherwise, authentication of the message request is done according to the authentication mechanism provided by WAS for the appropriate messaging layer.

To use JASPI message authentication services, supply an implementation of the required interfaces as defined in the JASPI specification. Read Develop a custom JASPI authentication provider for more information on these interfaces.

Authentication of HTTP request and response messages destined for JASPI-enabled deployed applications is performed according to the requirements of the Servlet Container Profile specified in the new specification.

JASPI is supported in a mixed-cell environment, but can only be used in nodes that are version 8 or higher. Back-level nodes use existing authentication mechanisms.

To configure a new JASPI authentication provider using the dmgr console, do the following:

  1. Click Security > Global security.

  2. Select Enable Java Authentication SPI (JASPI) to enable support for JASPI authentication.

  3. Click Providers.

    It is not necessary to select Enable Java Authentication SPI (JASPI) until after we have configured a new JASPI authentication provider.

    Best practice: The Default provider option is used to specify a single JASPI authentication provider to perform authentication for all web modules when JASPI authentication is enabled, and we do not override the web module to JASPI provider mapping during application deployment. During application deployment, we can override the default for every web module where it does not apply by choosing not to use JASPI or by naming a different provider to use for authentication. However, it is not recommended that we use this option unless you are certain that your default provider is capable of handling all types of web authentication (basic authentication, form authentication and client certificate authentication)..

  4. Click New.

  5. Enter a name that uniquely identifies the JASPI authentication provider in the Provider name field.

  6. Optional: Enter a textual description of the authentication provider in the Description field.

  7. Enter the package-qualified name of the class that implements the authentication provider interface (javax.security.auth.message.config.AuthConfigProvider) in the Class name field.

    In the Message layer field, WAS v8.5 supports only the HttpServlet message layer profile as defined in the JASPI specification. We cannot change this value.

  8. Optional: Under Custom Properties, click New if you require more than one property. This parameter is a list of key/value pairs.

  9. Click OK or Apply.

We can also configure a new JASPI authentication provider using wsadmin commands. Read JaspiManagement command group for AdminTask for more information.

Verify that your server has been restarted so the changes to configure the JASPI provider will take effect.


Related


Develop a custom JASPI authentication provider
Implement a custom authentication provider using JASPI
Modify an existing JASPI authentication provider
Enable JASPI authentication using the Map JASPI provider option during application deployment
Delete a JASPI authentication provider


Reference:

JaspiManagement command group for AdminTask
JASPI authentication providers page
JASPI authentication provider details
JASPI authentication enablement for applications


+

Search Tips   |   Advanced Search