WAS v8.5 > Develop applications > Develop security > Develop extensions to the WebSphere security infrastructureImplement a custom authentication provider using JASPI
We can implement a custom authentication provider using Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) to handle the Java EE authentication of HTTP request and response messages destined for web applications.
For JASPI authentication processing to take place, application security must be enabled in the global or domain security configuration and the server must be restarted for the configuration changes to take effect. Read the Application security topic for more information. This release of WebSphere Application Server supports the JSR 196: Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) specification, which enables third-party security providers to handle the Java EE authentication of HTTP request and response messages destined for web applications.
The JASPI specification extends the pluggable authentication concepts of the Java Authentication and Authorization Service (JAAS) to the authentication of HTTP request and response messages. When application security is enabled, and a protected web resource is accessed, the web container and the security runtime collaborate to make an authentication decision for the caller. When using a third-party JASPI provider, the authentication decision is delegated to that provider.
The JASPI specification defines standard system programming interfaces that enable developers to write a pluggable custom authentication provider that can handle Java EE web authentication mechanisms as well as any extended authentication processing. The WAS runtime uses these standard system programming interfaces to invoke the JASPI authentication provider. Read the Servlet Container Profile section in the JSR 196: Java Authentication Service Provider Interface for Containers specification for the requirements that third-party authentication providers must satisfy for more information.
If application security is enabled with JASPI authentication, when the web resource (such as a servlet or a JSP file) is accessed, the security runtime checks if the web resource is mapped to a JASPI provider defined in the security configuration. If so, the runtime invokes the JASPI authentication provider to perform authentication for the HTTP request and response messages.
To implement a custom authentication provider using JASPI you must do the following:
- Develop a custom JASPI authentication provider.
WAS provides support for the development of custom JASPI authentication providers to be used to perform authentication for the HTTP request and response messages destined for web applications. Read Develop a custom JASPI authentication provider for more information.
- Configure a new JASPI authentication provider.
WAS allows an administrator to enable JASPI authentication and to define a third-party JASPI authentication provider as part of the global or domain security configuration. Read Configure a new JASPI authentication provider for more information.
- Associate a JASPI authentication provider with an application or specific web modules.
During application deployment, the administrator or deployer can use the Map JASPI Provider option to associate web applications and specific web modules with an existing JASPI authentication provider as defined in the security configuration. This association can also be made when editing the options for an existing installed application. By default, an application inherits the JASPI settings defined in the WAS global or domain security configuration, and web modules inherit the application setting. The Map JASPI Provider option can be used to override these defaults. Read Enable JASPI authentication using the Map JASPI provider option during application deployment for more information.
Subtopics
- Develop a custom JASPI authentication provider
We can develop a custom Java Authentication SPI for Containers (JASPI) authentication provider by creating classes that implement the required interfaces noted in the JSR 196: Java Authentication Service Provider Interface for Containers specification.- Configure a new JASPI authentication provider
We can configure a new Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the dmgr console.- Modify an existing JASPI authentication provider
We can modify and configure an existing Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the dmgr console.- Delete a JASPI authentication provider
We can delete an existing Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the dmgr console.- Enable JASPI authentication using the Map JASPI provider option during application deployment
An administrator or deployer can use the Map JASPI Provider option during application deployment to associate web applications and specific web modules with an existing Java Authentication SPI (JASPI) authentication provider as defined in the security configuration. This association can also be made when editing the options for a previously installed application.- Develop a custom JASPI authentication provider
We can develop a custom Java Authentication SPI for Containers (JASPI) authentication provider by creating classes that implement the required interfaces noted in the JSR 196: Java Authentication Service Provider Interface for Containers specification.- Configure a new JASPI authentication provider
We can configure a new Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the dmgr console.- Modify an existing JASPI authentication provider
We can modify and configure an existing Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the dmgr console.- Delete a JASPI authentication provider
We can delete an existing Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the dmgr console.- Enable JASPI authentication using the Map JASPI provider option during application deployment
An administrator or deployer can use the Map JASPI Provider option during application deployment to associate web applications and specific web modules with an existing Java Authentication SPI (JASPI) authentication provider as defined in the security configuration. This association can also be made when editing the options for a previously installed application.- JASPI authentication providers page
The Java Authentication Service Provider Interface (JASPI) for Containers v1.0 specification defines standard system programming interfaces that enable developers to write a pluggable custom authentication provider that can handle Java EE web authentication mechanisms as well as any extended authentication processing. The WAS runtime uses these standard system programming interfaces to invoke the JASPI authentication provider.- JASPI authentication provider details
Use this page to provide configuration details for the custom Java Authentication SPI (JASPI) authentication service provider.- JASPI authentication enablement for applications
Use this page to enable or disable Java Authentication SPI (JASPI) authentication for an application or web module, and to specify the name of a JASPI authentication provider to be used for authenticating messages for the application or web module.
Related concepts:
Application security
Related
Create new multiple security domains
Reference:
JaspiManagement command group for AdminTask
JASPI authentication providers page
JASPI authentication provider details
JASPI authentication enablement for applications
Related information:
JSR 196: Java Authentication Service Provider Interface for Containers