WAS v8.5 > Secure applications > Secure the Liberty profile and its applications > Authenticate users in the Liberty profile

Configure a JAAS custom login module for the Liberty profile

Overview

Before starting this task, using the developer tools, create a JAR file which contains the JAAS login module that implements the interface...

javax.security.auth.spi.LoginModule

The login module should use hashtables, callbacks or shared state variables provided by the Liberty profile server to pass authentication data to the system login module.

The login module can either...

• Make additional authentication decisions
• Add information to the Subject to make fine-grained authorization decisions inside the application

Configure your JAAS custom login module with a Liberty profile server

1. Enable the appSecurity-1.0 Liberty feature in server.xml.

2. Create a class com.ibm.ws.security.authentication.modules.CustomLoginModule that implements the LoginModule interface and package it into the CustomLoginModule.jar file.

3. Create a library element that uses a fileset element indicating where the CustomLoginModule.jar file is. In this example, the library id is customLoginLib.

4. Create a jaasLoginModule element. In this example, the id is custom. Configure the custom login module to require a successful authentication by setting the controlFlag attribute to REQUIRED. Set the libraryRef attribute to customLoginLib, the id of the library element configured in the previous step. This login module also has two options: UserRegistry is ldap and mapToUser is user1.

5. Create a jaasLogincontextEntry element with an id and name of the system-defined JAAS configuration: system.WEB_INBOUND, we can also set this to system.DEFAULT, WSLogin, or our own JAAS configuration. On the loginModuleRef attribute, add custom, the id of the jaasLoginModule element created in the previous step. Putting this id first in the list means that it is the first JAAS login module to be called. You must also list the other default login modules: hashtable, userNameAndPassword, certificate, and token.

   See the following server.xml file as an example:

   < featureManager>
       <feature>appSecurity-1.0</feature> </featureManager> 
   < jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND" 
                    loginModuleRef="custom, hashtable, userNameAndPassword, certificate, token" /> 
   < jaasLoginModule id="custom" 
                    className="com.ibm.ws.security.authentication.modules.CustomLoginModule" 
                    controlFlag="REQUIRED" libraryRef="customLoginLib">     <options userRegistry="ldap" mapToUser="user1"/> </jaasLoginModule> 
   < library id="customLoginLib">     < fileset dir="${server.config.dir}" includes="CustomLoginModule.jar"/> </library> 
   ...    

   The option name cannot start with a period (.), config., or service. Also, the property name id or ID is not allowed.

   For more information about the jaasLoginContextEntry, jaasLoginModule, options, and library elements, see Liberty profile: Configuration elements in server.xml.

See also

• Configuring JAAS on the Liberty profile using WebSphere Studio
  We can configure a JAAS configuration (system.WEB_INBOUND) with a custom login module for the Liberty profile by editing the configuration. We do not have to configure JAAS unless to customize it.

Parent topic: Authenticate users in the Liberty profile

Related concepts:
Liberty profile: Authentication
Develop JAAS custom login modules for a system login configuration