+

Search Tips   |   Advanced Search

IBM Security Access Manager

WebSphere Application Server provides a JACC-compliant client dedicated for use with IBM Security Access Manager. When applications are deployed, the embedded ISAM client gets policy and user/role information stored within the deployment descriptor or from annotations and then stores that information within the ISAM Policy Server. The JACC provider is also called when a user requests access to a resource managed by WAS.

  1. Users accessing protected resources are authenticated using the ISAM login module configured for use when the embedded ISAM client is enabled.

  2. The WAS container uses information from the Java EE application deployment descriptor and annotations to determine the required role membership.

  3. WAS uses the embedded ISAM client to request an authorization decision from the ISAM authorization server. Additional context information, when present, is also passed to the authorization server. This context information is comprised of the cell name, Java EE application name, and Java EE module name. If the ISAM policy database has policies specified for any of the context information, the authorization server uses this information to make the authorization decision.

  4. The authorization server consults the permissions defined for the specified user within the ISAM-protected object space. The protected object space is part of the policy database.

  5. The ISAM authorization server returns the access decision to the embedded ISAM client.

  6. WAS either grants or denies access to the protected method or resource, based on the decision that is returned from the ISAM authorization server.

Architecture

The participating appservers use a local replica of the ISAM policy database to make authorization decisions for incoming requests. The master policy database is installed as part of the Security Access Manager installation. Having policy database replicas on each participating WAS node optimizes performance when making authorization decisions and provides failover capability.

Although the authorization server can also be installed on the same system as WAS, this configuration is not illustrated in the diagram.

All instances of ISAM and WAS in the example architecture share the LDAP user registry on Machine E.

The LDAP registries supported by WAS are also supported by ISAM.

It is possible to have separate WAS profiles on the same host configured for different ISAM servers. Such an architecture requires that the profiles are configured for separate Java SE Runtime Environments (JRE 6) and therefore we need multiple JREs installed on the same host.


Related:

  • Configure an application server with IBM Security Verify Access
  • Authorization providers
  • IBM ISAM for e-business Information Center