JACC policy propagation
When an application is installed or deployed in the WebSphere Application Server, the security policy information in the application is propagated to the provider when the configuration is saved. The contextID for the application is saved in its application.xml file, used for propagating the policy to the JACC provider, and also for access decisions for J2EE resources.
When an application is uninstalled, the security policy information in the application is removed from the provider when the configuration is saved.
If the provider has implemented the RoleConfiguration interface, the security policy information propagated to the policy provider also contains the authorization table information.
If an application does not contain security policy information, the PolicyConfiguration (and the RoleConfiguration, if implemented) objects do not contain any information. The existence of empty PolicyConfiguration and RoleConfiguration objects indicates that security policy information for the module does not exist.
Once an application is installed, it can be updated without first being uninstalled and reinstalled. For example, a new module can be added to an existing application, or an existing module can be modified. In this instance, the information in the impacted modules is propagated to the provider by default. A module is impacted when the deployment descriptor of the module is changed as part of the update. If the provider supports the RoleConfiguration interfaces, the entire authorization table for that application is propagated to the provider.
The security information should not be propagated to the provider during application updates, one can set the JVM property com.ibm.websphere.security.jacc.propagateonappupdate to false in the deployment manager (in ND) or the unmanaged base application server. If this property is set to false, then any updates to an existing application in the server are not propagated to the provider. You also can set this property on a per-application basis using the custom properties of an application. The wsadmin tool can be used to set the custom property of an application. If this property is set at the application level, any updates to that application are not propagated to the provider. If the update to an application is a full update, for example a new application ear file is used to replace the existing one, the provider is then refreshed with the entire application security policy information.
In the network deployment (ND) environment, when an application is installed and saved, the security policy information in that application is updated in the provider from the deployment manager (dmgr or cell). The application is not propagated to its respective nodes until the synchronization command is issued and completed. Also, in the ND environment when an application is uninstalled and saved at the deployment manager, the policy for that application is removed from the JACC provider. However, unless the synchronization command is issued and completed from the deployment manager to the nodes hosting the application, the applications are still running in the respective nodes. In this instance, any access to this application should be denied since the JACC provider does not contain the required information to make the access decision for that application. Note that any updates to the application already installed as described above are also propagated to the provider from the deployment manager. The changes in the provider are not in sync with the applications in the nodes until the synchronization is completed.
See Also
Authorization in WebSphere Application Server
Tivoli Access Manager integration as the JACC provider
JACC support in WebSphere Application Server
Enabling an external JACC provider
Configuring a JACC provider
Propagating security policy of installed applications to a JACC provider using wsadmin scripting
Interfaces used to support JACC
Troubleshooting authorization providers