Administration guide > Secure the deployment environment > Tutorial: Integrate WebSphere eXtreme Scale security with WAS > Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS


Secure the deployment environment > Tutorial: Integrate WebSphere eXtreme Scale security with WAS > Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS >

< Previous | Next >


Lesson 4.3: Configure group-based authorization

In the previous lesson, you assigned individual user-based authorization with user principals in the Java™ Authentication and Authorization Service. (JAAS) authorization policy. However, when you have hundreds or thousands of users, use group-based authorization, which authorizes access based on groups instead of individual users.

Unfortunately, the Subject object that is authenticated from the WebSphere Application Server only contains a user principal. This object does not contain a group principal. You can add a custom login module to populate the group principal into the Subject object.

For this tutorial, the custom login module is named com.ibm.websphere.samples.objectgrid.security.lm.WASAddGroupLoginModule. The module is in the groupLM.jar file. Place this JAR file in the WAS-INSTALL/lib/ext directory.

The WASAddGroupLoginModule retrieves the public group credential from the WebSphere Application Server subject and creates a Group principal, com.ibm.websphere.samples.objectgrid.security.WSGroupPrincipal, to represent the group. This group principal can then be used for group authorization. The groups are defined in the xsAuthGroup2.policy file:

grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal com.ibm.websphere.sample.xs.security.WSGroupPrincipal 
        "defaultWIMFileBasedRealm/cn=operatorGroup,o=defaultWIMFileBasedRealm" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "read";
};

grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal com.ibm.websphere.sample.xs.security.WSGroupPrincipal 
    "defaultWIMFileBasedRealm/cn=adminGroup,o=defaultWIMFileBasedRealm" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "all";
};

The principal name is the WSGroupPrincipal, which represents the group.


Add the custom login module

The custom login module must be added to each of the following system login module entries: If you are using Lightweight Third Party Authentication (LTPA), add the entry to the RMI_INBOUND login modules. LTPA is the default authentication mechanism for WebSphere Application Server v7.0. For a WebSphere Application Server Network Deployment configuration, you only need to configure the LTPA authentication mechanism configuration entries.

Use the following steps to configure the supplied com.ibm.websphere.samples.objectgrid.security.lm.WASAddGroupLoginModule login module:

  1. In the administrative console, click Security > Global Security > Java Authentication and Authorization Service > System logins > login_module_name > JAAS login modules > New.

  2. Enter the class name as com.ibm.websphere.sample.xs.security.lm.WASAddGroupLoginModule.

  3. Optional: Add a property debug and set the value to true.

  4. Click Apply to add the new module to the login module list.


Set the JAAS Authorization Policy file using JVM Properties

In the administrative console, perform the following steps to xs1 and xs2 servers in the xsCluster. If a different deployment topology is used, perform the following steps to the application servers that host the container servers.

  1. In the administrative console, click Servers > Application servers > server_name > Java and Process management > Process definition > JVM

  2. Enter the following Generic JVM arguments or replace the -Djava.security.auth.policy entry with the following text:

    -Djava.security.auth.policy=samples_home/security/xsAuthGroup2.policy
    

  3. Click OK and save the changes.


Test group authorization with the sample application

You can test that group authorization is configured by the login module with the sample application.

  1. Restart the container servers. For this tutorial, the container servers are the xs1 and xs2 servers.

  2. Log in to the sample application. In a web browser, open http://<host>:<port>/EmployeeManagementWeb/management.jsp and login with the user name admin1 and password admin1.

  3. Display an employee. Click Display an Employee and search for the authemp2@acme.com email address. A message displays that the user cannot be found.

  4. Add an employee. Click Add an Employee. Add the email authemp2@acme.com, the first name Joe, and the last name Doe. Click Submit. A message displays that the employee has been added.

  5. Log in as the operator user. Open a second web browser window and open the following URL: http://<host>:<port>/EmployeeManagermentWeb/management.jsp. Use the user name operator1 and password operator1.

  6. Attempt to display an employee. Click Display an Employee and search for the authemp2@acme.com email address. The employee is displayed.

  7. Add an employee. Click Add an Employee. Add the email authemp3@acme.com, the first name Joe, and the last name Doe. Click Submit. The following message displays:

    An exception occurs when Add the employee. See below for detailed exception messages.
    

    The following exception is in the exception chain:

    java.security.AccessControlException: Access denied 
    (com.ibm.websphere.objectgrid.security.MapPermission Grid.Map1 insert)
    

    This message displays because the operator user does not have permission to insert data into the Map1 map.


Lesson checkpoint

You configured groups to simplify the assignment of permission to the users of the application.

< Previous | Next >