Configure a new JASPI authentication provider using the administrative console
We can configure a new Java Authentication SPI (JASPI) authentication provider in the cell or in the given security domain using the administrative console.
This release of WebSphere Application Server supports integration of message authentication providers that are compliant with the JASPI for Containers Version 1.1 specification.
When JASPI authentication providers are configured, and WAS receives an HTTP request message, the security runtime environment determines if the target application is configured to use JASPI authentication. If so, the runtime environment invokes the selected authentication provider to validate the received message. Otherwise, authentication of the message request is done according to the authentication mechanism provided by WAS for the appropriate messaging layer.
To use JASPI message authentication services, supply an implementation of the required interfaces as defined in the JASPI specification. Read Developing a custom JASPI authentication provider for more information on these interfaces.
Authentication of HTTP request and response messages destined for JASPI-enabled deployed applications is performed according to the requirements of the Servlet Container Profile specified in the new specification.
JASPI is supported in a mixed-cell environment, but can only be used in nodes that are version 8 or higher. Back-level nodes use existing authentication mechanisms.
To configure a new JASPI authentication provider using the administrative console, do the following:
Tasks
- Click Security > Global security.
- Select Enable Java Authentication SPI (JASPI) to enable support for JASPI authentication.
- Click Providers.
It is not necessary to select Enable Java Authentication SPI (JASPI) until after we have configured a new JASPI authentication provider.
The Default provider option specifies a single JASPI authentication provider to perform authentication for all web modules when JASPI authentication is enabled, and we do not override the web module to JASPI provider mapping during application deployment. During application deployment, we can override the default for every web module where it does not apply by choosing not to use JASPI or by naming a different provider to use for authentication. However, it is not recommended that we use this option unless we are certain that your default provider is capable of handling all types of web authentication (basic authentication, form authentication and client certificate authentication). bprac
- Click New.
- Enter a name that uniquely identifies the JASPI authentication provider in the Provider name field.
- Optional: Enter a textual description of the authentication provider in the Description field.
- Enter the package-qualified name of the class that implements the authentication provider interface (javax.security.auth.message.config.AuthConfigProvider) in the Class name field.
In the Message layer field, the WAS supports only the HttpServlet message layer profile as defined in the JASPI specification. We cannot change this value.
- Optional: Under Custom Properties, click New if you require more than one property. This parameter is a list of key/value pairs.
- Click OK or Apply.
What to do next
We can also configure a new JASPI authentication provider using wsadmin commands. Read JaspiManagement command group for the AdminTask object for more information.
Verify that the server has been restarted so that the changes to configure the JASPI provider will take effect.
Developing a custom JASPI authentication provider Implement a custom authentication provider using JASPI Modifying an existing JASPI authentication provider Enable JASPI authentication using the Map JASPI provider option during application deployment Deleting a JASPI authentication provider JaspiManagement JASPI authentication providers collection JASPI authentication provider details JASPI authentication enablement for applications