Administration guide > Secure the deployment environment > Tutorial: Integrate WebSphere eXtreme Scale security with WAS > Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS


Secure the deployment environment > Tutorial: Integrate WebSphere eXtreme Scale security with WAS > Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS >

< Previous | Next >


Lesson 4.2: Enable user-based authorization

In the authentication module of this tutorial, you created two users: operator1 and admin1. You can assign varying permissions to these users with Java™ Authentication and Authorization Service (JAAS) authorization.


Define the Java Authentication and Authorization Service (JAAS) authorization policy using user principals

You can assign permissions to the users that you previously created. Assign the operator1 user read permissions only to all maps. Assign the admin1 user all permissions. Use the JAAS authorization policy file to grant permissions to principals.

Edit the JAAS authorization file. The xsAuth3.policy file is in the samples_homesecurity directory:

grant codebase http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction
Principal com.ibm.ws.security.common.auth.WSPrincipalImpl "defaultWIMFileBasedRealm/operator1" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "read";
};

grant codebase http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction
Principal com.ibm.ws.security.common.auth.WSPrincipalImpl "defaultWIMFileBasedRealm/admin1" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "all";
};

In this file, the http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction codebase is a specially reserved URL for ObjectGrid. All ObjectGrid permissions that are granted to principals should use this special code base. The following permissions are assigned in this file:


Set the JAAS authorization policy file using JVM properties

Use the following steps to set JVM properties for the xs1 and xs2 servers, which are in the xsCluster cluster. If you are using a topology that is different from the sample topology that is used in this tutorial, set the file on all of the container servers.

  1. In the administrative console, click Servers > Application servers > server_name > Java and Process Management > Process definition > Java Virtual Machine.

  2. Add the following generic JVM arguments:

    -Djava.security.auth.policy=samples_home/security/xsAuth3.policy
    

  3. Click OK and save the changes.


Run the sample application to test authorization

Use the sample application to test the authorization settings. The administrator user continues to have all permissions in the Map1 map, including displaying and adding employees. The operator user should only be able to view employees because that user was assigned read permission only.

  1. Restart all of the application servers that are running container servers.

  2. Open the EmployeeManagementWeb application. In a web browser, open http://<host>:<port>/EmployeeManagermentWeb/management.jsp.

  3. Log in to the application as an administrator. Use the user name admin1 and password admin1.

  4. Attempt to display an employee. Click Display an Employee and search for the authemp1@acme.com email address. A message displays that the user cannot be found.

  5. Add an employee. Click Add an Employee. Add the email authemp1@acme.com, the first name Joe, and the last name Doe. Click Submit. A message displays that the employee has been added.

  6. Log in as the operator user. Open a second Web browser window and open http://<host>:<port>/EmployeeManagermentWeb/management.jsp. Use the user name operator1 and password operator1.

  7. Attempt to display an employee. Click Display an Employee and search for the authemp1@acme.com email address. The employee is displayed.

  8. Add an employee. Click Add an Employee. Add the email authemp2@acme.com, the first name Joe, and the last name Doe. Click Submit. The following message displays:

    An exception occurs when Add the employee. See below for detailed exception messages.
    

    The following exception is in the exception chain:

    java.security.AccessControlException: Access denied 
    (com.ibm.websphere.objectgrid.security.MapPermission Grid.Map1 insert)
    

    This message displays because the operator1 user does not have permission to insert data into the Map1 map.

If you are running with a version of WebSphere Application Server that is earlier than v7.0.0.11, you might see a java.lang.StackOverflowError error on the container server. This error is caused by a problem with the IBM Developer Kit. The problem is fixed in the IBM Developer Kit that is shipped with WebSphere Application Server Version 7.0.0.11 and later.


Lesson checkpoint

In this lesson, you configured authorization by assigning permissions to specific users.

< Previous | Next >