+

Search Tips   |   Advanced Search

JaspiManagement

Use the commands in the JaspiManagement command group to manage the configuration of authentication providers.

WebSphere Application Server supports integration of message authentication providers that are compliant with the JASPI for Containers Version 1.1 specification. Use the Jython or JACL scripting languages to configure Java Authentication Service Provider Interface (JASPI) providers with the wsadmin tool.

JASPI is a new specification introduced in Java Platform, Enterprise Edition 6 (Java EE 6). It enables third-party security providers to perform authentication of messages for specific messaging runtime environments. JASPI extends the JAAS architecture with standardized programming interfaces to make network messages available for processing by authentication providers.

To use JASPI message authentication services, we must supply an implementation of the required interfaces as defined in the JASPI specification. Read about Developing a custom authentication provider for more information on these interfaces.

WAS supports only the Servlet Profile as defined in the JASPI specification.

When JASPI authentication providers are configured, and WAS receives a request message, the security runtime environment determines if the target application is configured to use JASPI authentication. If so, the runtime environment invokes the selected authentication provider to validate the received message. Otherwise, authentication of the message request is done according to the authentication mechanism provided by WAS for the appropriate messaging layer.

The JaspiManagement command groupcommands include:


configureJaspi

The configureJaspi command specifies whether the Java Authentication SPI processing is to be enabled or disabled, and to set the default JASPI provider for a given security domain or the global security configuration.

Target object: None.

Required parameters: None.

Optional parameters:

-enabled

Specify true to enable the JASPI configuration and false to disable the configuration.

-defaultProviderName

Name of an already configured JASPI provider that is to be used as the default JASPI provider for the security domain or global security configuration.

-securityDomainName

Name of the security domain. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter.

Return value.

The command returns the object name of the JASPI configuration ID the system creates, and is an instance of javax.management.ObjectName. The value displayed in the console is the JASPI configuration ID.

Batch mode example usage

Use Jython: 

AdminTask.configureJaspi('[-enabled true -defaultProviderName testProvider]')

Use Jacl: 

$AdminTask configureJaspi {-enabled true -defaultProviderName testProvider}

Interactive mode example usage

Use Jython: 

AdminTask.configureJaspi('-interactive')

Use Jacl: 

$AdminTask configureJaspi -interactive


defineJaspiProvider

The defineJaspiProvider command configures a new authentication provider for the given security domain or the global security configuration.

Target object: None.

Required parameters:

-providerName

Name that uniquely identifies the authentication provider.

-className

Package-qualified name of the class that implements the authentication provider interface (javax.security.auth.message.config.AuthConfigProvider).

Optional parameters:

-description

Textual description of the authentication provider.

-properties

Specifies additional custom configuration properties needed to initialize the authentication provider. This parameter is a list of key/value pairs.

-securityDomainName

Name of the security domain. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter.

Return value.

The command returns a map of the authentication provider configuration attributes and their values, and is an instance of java.util.Map<java.lang.String, java.lang.Object> containing the authentication provider configuration attributes. The value displayed in the console is the return value of the Map's toString() method.

Batch mode example usage

For clarity, the command is shown in multiple lines; it must be entered on a single line.

Use Jython: 

AdminTask.defineJaspiProvider('-providerName jaspi_provider  
-className com.ibm.sample.JaspiProvider -description "Sample authentication provider"  
-properties [ [debug true] [user admin] ] ')

Use Jacl: 

$AdminTask defineJaspiProvider {  -providerName jaspi_provider 
-className com.ibm.JASPIProvider  -description "Sample authentication provider" 
-properties {  {debug true} {user admin}  } }

Interactive mode example usage

Use Jython: 

AdminTask.defineJaspiProvider('-interactive')

Use Jacl: 

$AdminTask defineJaspiProvider -interactive


displayJaspiProvider

The displayJaspiProvider command displays the configuration data for one or more given authentication providers for the given security domain or the global security configuration.

Target object: None.

Required parameters:

-providerName

Unique name(s) of the authentication provider(s) to be displayed.

Optional parameters:

-securityDomainName

Name of the security domain. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter.

Return value.

The command displays the specified provider(s) along with their configuration attributes and values. The data returned is displayed as an instance of java.util.Collection<java.util.Map<java.lang.String, java.lang.Object>>. Each Map instance contains the configuration attributes of an authentication provider. The value displayed in the console is the return value of the Collection's toString() method.

Batch mode example usage

Use Jython: 

AdminTask.displayJaspiProvider('-providerName jaspi_provider')

Use Jacl: 

$AdminTask displayJaspiProvider {'-providerName jaspi_provider'}

Interactive mode example usage

Use Jython: 

AdminTask.displayJaspiProvider('-interactive')

Use Jacl: 

$AdminTask displayJaspiProvider -interactive


displayJaspiProviderNames

The displayJaspiProviderNames command displays the names of authentication providers in the security configuration. When the securityDomainName parameter is provided, only those providers in the given security domain are displayed. When the securityDomainName parameter is not provided, only the names of the providers in the global security configuration are displayed.

When the securityDomainName parameter is provided with the getEffectiveProviderNames parameter set to true, the list of authentication provider names from the given security domain and from the global security configuration are displayed as long as JASPI support is enabled.

The combined list does not include duplicate provider names. For example, if the given security domain configuration has provider names of p1, p2 and p3, and the global security configuration has provider names of p3, p4 and p5, the combined list of provider names contains p1, p2, p3, p4 and p5.

When the securityDomainName parameter is provided with the getEffectiveProviderNames parameter set to false, only the list of authentication providers for the given security domain are displayed. The getEffectiveProviderNames parameter only has an effect when used with the securityDomainName parameter; it is ignored if the securityDomainName provider is not provided.

Target object: None.

Required parameters: None.

Optional parameters:

-getEffectiveProviderNames

Specify true to get the list of effective authentication provider names or false to get just the list of authentication providers for the security domain configuration. The default value for getEffectiveProviderName is false.

-securityDomainName

Name of the security domain. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter.

Return value.

The command returns a list of JASPI provider names. The data returned is displayed as an instance of java.util.Collection<java.lang.String>.

Batch mode example usage

Use Jython: 

AdminTask.displayJaspiProviderNames()

Use Jacl: 

$AdminTask displayJaspiProviderNames

Interactive mode example usage

Use Jython: 

AdminTask.displayJaspiProviderNames('-interactive')

Use Jacl: 

$AdminTask displayJaspiProviderNames -interactive


getJaspiInfo

The getJaspiInfo command displays information about the JASPI configuration for the given security domain or the global security configuration.

Target object: None.

Required parameters: None.

Optional parameters:

-securityDomainName

Name of the security domain. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter.

Return value.

The command returns an indication of whether Java Authentication SPI processing is enabled. If the command is issued for a specific security domain and a value is customized for the domain, the command returns a value to indicate whether JASPI processing is enabled. If the command is issued for a specific domain and a value is not customized for the domain, it returns an empty list to indicate that the configuration is inherited from the global security configuration. The data returned is displayed as an instance of java.util.Map<java.lang.String, java.lang.Object> containing the JASPI configuration attributes. The value displayed in the console is the return value of the Map's toString() method.

In addition, this command returns the value configured for the default provider. For example: 

wsadmin>$AdminTask getJaspiInfo
{defaultProviderName=null, enabled=false}

Batch mode example usage

Use Jython: 

AdminTask.getJaspiInfo()

Use Jacl: 

$AdminTask getJaspiInfo

Interactive mode example usage

Use Jython: 

AdminTask.getJaspiInfo('-interactive')

Use Jacl: 

$AdminTask getJaspiInfo -interactive


modifyJaspiProvider

The modifyJaspiProvider command modifies configuration data for a given authentication provider for the given security domain or the global security configuration.

Target object: None.

Required parameters:

-providerName

Name that uniquely identifies the authentication provider.

Optional parameters:

-className

Package-qualified name of the class that implements the authentication provider interface (javax.security.auth.message.config.AuthConfigProvider).

-description

Textual description of the authentication provider.

-properties

Specifies additional custom configuration properties needed to initialize the authentication provider. This parameter is a list of key/value pairs.

-securityDomainName

Name of the security domain. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter.

Return value.

An instance of java.util.Map<java.lang.String, java.lang.Object> containing any modified configuration attributes in the given authentication provider or any given associated authentication modules. The value displayed in the console is the return value of the Map's toString() method.

Batch mode example usage

Use Jython: 

AdminTask.modifyJaspiProvider('-providerName jaspi_provider 
-properties [ [debug false] ] 	')

Use Jacl: 

$AdminTask modifyJaspiProvider { -providerName jaspi_provider  
-properties { {debug false} } }

Interactive mode example usage

Use Jython: 

AdminTask.modifyJaspiProvider('-interactive')

Use Jacl: 

$AdminTask modifyJaspiProvider -interactive


removeJaspiProvider

The removeJaspiProvider command removes one or more authentication providers from the security configuration for the given security domain or the global security configuration.

Target object: None.

Required parameters:

-providerName

Unique name(s) of the authentication provider(s) to be removed.

Optional parameters:

-securityDomainName

Name of the security domain. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter.

Return value. None.

Batch mode example usage

To remove a single provider using Jython: 

AdminTask.removeJaspiProvider('-providerName jaspi_provider')

To remove multiple providers using Jython: 

AdminTask.removeJaspiProvider( '[-providerName [ Provider1;Provider2 ] ]' )

To remove a single user using Jacl: 

$AdminTask removeJaspiProvider {'-providerName jaspi_provider'}

To remove multiple providers using Jacl: 

$AdminTask removeJaspiProvider {-providerName {Provider1 Provider2 } }

Interactive mode example usage

Use Jython: 

AdminTask.removeJaspiProvider('-interactive')

Use Jacl: 

$AdminTask removeJaspiProvider -interactive


unconfigureJaspi

The unconfigureJaspi command is used to remove the JASPI configuration and all of its associated providers from a security domain.

Target object: None.

Required parameters:

-securityDomainName

Name of the security domain. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter.

Optional parameters: None.

Return value. None.

Batch mode example usage

Use Jython: 

AdminTask.unconfigureJaspi('-securityDomainName domain1')

Use Jacl: 

$AdminTask unconfigureJaspi {-securityDomainName domain1}

Interactive mode example usage

Use Jython: 

AdminTask.unconfigureJaspi('-interactive')

Use Jacl: 

$AdminTask unconfigureJaspi -interactive

  • Implement a custom authentication provider using JASPI
  • Modifying an existing JASPI authentication provider
  • Deleting a JASPI authentication provider
  • Enable JASPI authentication using the Map JASPI provider option during application deployment
  • Commands for the AdminTask object
  • JASPI authentication providers collection
  • JASPI authentication provider details
  • JASPI authentication enablement for applications