(ZOS) Writing a custom System Authorization Facility (SAF) mapping module with non-local operating system
We can customize Java Authentication and Authorization (JAAS) login configurations by writing a customized login mapping module.
The WebSphere Application Server ltpaLoginModule module and the AuthenLoginModule module use the shared state to save state information with the capability to allow LoginModules can modify state information. The ltpaLoginModule initializes the callback array in the login() method using the following code. The callback array is created by ltpaLoginModule only if an array is not defined in the shared state area.
If we are using the SAF distributed identity mapping feature, we do not need to configure a mapping module.
If a non-local operating system registry is configured and the Authorization option is selected, install a mapping class followed by the com.ibm.ws.security.common.auth.module.MapPlatformSubject login module. A sample mapping class, com.ibm.websphere.security.SampleSAFMappingModule, is shipped with WAS and can be used as a starting point. The mapping class must be placed in the JAAS configuration to provide mapping from a registry other than local operating system to a SAF user ID prior to enabling administrative security. The Authorization option is accessible by completing the following steps:
Tasks
- Click Security > Global security.
- Under Additional properties, click z/OS SAF properties.
What to do next
See other articles about JAAS and SAF.
Related:
Custom System Authorization Facility mapping modules Distributed identity mapping using SAF Install and configuring a custom System Authorization Facility mapping module for WAS Developing programmatic logins with the JAAS Update system login configurations to perform a System Authorization Facility identity user mapping Configure programmatic logins for JAAS