WAS v8.5 > Develop applications > Develop security > Develop extensions to the WebSphere security infrastructure

Implement a custom authentication provider using JASPI

We can implement a custom authentication provider using Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) to handle the Java EE authentication of HTTP request and response messages destined for web applications.

For JASPI authentication processing to take place, application security must be enabled in the global or domain security configuration and the server must be restarted for the configuration changes to take effect. Read the Application security topic for more information. This release of WebSphere Application Server supports the JSR 196: Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) specification, which enables third-party security providers to handle the Java EE authentication of HTTP request and response messages destined for web applications.

The JASPI specification extends the pluggable authentication concepts of the Java Authentication and Authorization Service (JAAS) to the authentication of HTTP request and response messages. When application security is enabled, and a protected web resource is accessed, the web container and the security runtime collaborate to make an authentication decision for the caller. When using a third-party JASPI provider, the authentication decision is delegated to that provider.

The JASPI specification defines standard system programming interfaces that enable developers to write a pluggable custom authentication provider that can handle Java EE web authentication mechanisms as well as any extended authentication processing. The WAS runtime uses these standard system programming interfaces to invoke the JASPI authentication provider. Read the Servlet Container Profile section in the JSR 196: Java Authentication Service Provider Interface for Containers specification for the requirements that third-party authentication providers must satisfy for more information.

If application security is enabled with JASPI authentication, when the web resource (such as a servlet or a JSP file) is accessed, the security runtime checks if the web resource is mapped to a JASPI provider defined in the security configuration. If so, the runtime invokes the JASPI authentication provider to perform authentication for the HTTP request and response messages.

To implement a custom authentication provider using JASPI you must do the following:

  1. Develop a custom JASPI authentication provider.

    WAS provides support for the development of custom JASPI authentication providers to be used to perform authentication for the HTTP request and response messages destined for web applications. Read Develop a custom JASPI authentication provider for more information.

  2. Configure a new JASPI authentication provider.

    WAS allows an administrator to enable JASPI authentication and to define a third-party JASPI authentication provider as part of the global or domain security configuration. Read Configure a new JASPI authentication provider for more information.

  3. Associate a JASPI authentication provider with an application or specific web modules.

    During application deployment, the administrator or deployer can use the Map JASPI Provider option to associate web applications and specific web modules with an existing JASPI authentication provider as defined in the security configuration. This association can also be made when editing the options for an existing installed application. By default, an application inherits the JASPI settings defined in the WAS global or domain security configuration, and web modules inherit the application setting. The Map JASPI Provider option can be used to override these defaults. Read Enable JASPI authentication using the Map JASPI provider option during application deployment for more information.


Subtopics


Related concepts:

Application security


Related


Create new multiple security domains


Reference:

JaspiManagement command group for AdminTask
JASPI authentication providers page
JASPI authentication provider details
JASPI authentication enablement for applications


Related information:

JSR 196: Java Authentication Service Provider Interface for Containers


+

Search Tips   |   Advanced Search