External authorization provider settings
Use this page to enable a Java Authorization Contract for Containers (JACC) provider for authorization decisions.
To view this administrative console page, complete the following steps:
- Click Security > Global security.
- Click External authorization providers.
The application server provides a default authorization engine that performs all of the authorization decisions. In addition, the application server also supports an external authorization provider using the JACC specification to replace the default authorization engine for Java EE applications.
JACC is part of the Java EE specification, which enables third-party security providers such as Security Access Manager to plug into the application server and make authorization decisions.
Important: Unless we have an external JACC provider or want to use a JACC provider for ISAM that can handle Java EE authorizations based on JACC, and it is configured and set up to use with the application server, do not enable External authorization using a JACC provider.
Built-in authorization
Use this option all the time unless we want an external security provider such as the ISAM to perform the authorization decision for Java EE applications that are based on the JACC specification.
External JACC provider
Configure the application server to use an external JACC provider. For example, to configure an external JACC provider, the policy class name and the policy configuration factory class name are required by the JACC specification.
The default settings contained in this link are used by ISAM for authorization decisions. If we intend to use another provider, modify the settings as appropriate.
(ZOS) System Authorization Facility (SAF) authorization
Specify that SAF EJBROLE profiles are used for user-to-role authorization for both J2EE (Java EE) applications and the role-based authorization requests (naming and administration) associated with application server runtime. This option is available when the environment contains z/OS nodes only.
Important: When selected, WebSphere Application Server uses the authorization policy stored in the z/OS security product for authorization.
If a Lightweight Access Directory Protocol (LDAP) registry or Custom registry is configured and SAF authorization is specified, a mapping to a z/OS principal is required at each login for any protected methods to run:
- If the authentication mechanism is LPTA, IBM recommends that you update all of the following configuration entries to include a mapping to a valid z/OS principal (such as WEB_INBOUND, RMI_INBOUND, and DEFAULT).
- If the authentication mechanism is Simple WebSphere Authentication Mechanism (SWAM), we must update the SWAM configuration entry to include a mapping to a valid z/OS principal.
SWAM is deprecated and will be removed in a future release.
Use the built-in authorization provider Propagating security policies and roles for previously deployed applications External Java Authorization Contract for Containers provider settings (ZOS) z/OS System Authorization Facility authorization