Administration guide > Secure the deployment environment > Tutorial: Security in a mixed environment > Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS


Secure the deployment environment > Tutorial: Integrate WebSphere eXtreme Scale security in a mixed environment with an external authenticator > Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS >

< Previous | Next >


Lesson 4.2: Enable user-based authorization

In the authentication module of this tutorial, you created two users: operator and manager. You can assign varying permissions to these users with Java™ Authentication and Authorization Service (JAAS) authorization.


Define the Java Authentication and Authorization Service (JAAS) authorization policy using user principals

You can assign permissions to the users that you previously created. Assign the operator user only read permissions to all maps. Assign the manager user all permissions. Use the JAAS authorization policy file to grant permissions to principals.

Edit the JAAS authorization file. The xsAuth3.policy file is in the samples_home/security_extauth directory.

grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
    principal javax.security.auth.x500.X500Principal
    "CN=operator,O=acme,OU=OGSample" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "read";
};

grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
    principal javax.security.auth.x500.X500Principal
    "CN=manager,O=acme,OU=OGSample" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "all";
};

In this file, the http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction codebase is a specially reserved URL for ObjectGrid. All ObjectGrid permissions that are granted to principals should use this special code base. The following permissions are assigned in this file:


Set the JAAS authorization policy file using JVM properties

Use the following steps to set JVM properties for the xs1 and xs2 servers, which are in the xsCluster cluster. If you are using a topology that is different from the sample topology that is used in this tutorial, set the file on all of the container servers.

  1. In the administrative console, click Servers > Application servers > server_name > Java and process management > Process definition > JVM.

  2. Add the following generic JVM arguments:

    -Djava.security.auth.policy=samples_home/security_extauth/xsAuth3.policy
    

  3. Click OK and save the changes.


Run the sample application to test authorization

Use the sample application to test the authorization settings. The manager user continues to have all permissions in the Map1 map, including displaying and adding employees. The operator user should only be able to view employees because that user was assigned read permission only.

  1. Restart all of the application servers that are running container servers. For this tutorial, restart the xs1 and xs2 servers.

  2. Open the EmployeeManagementWeb application. In a web browser, open http://<host>:<port>/EmployeeManagermentWeb/management.jsp.

  3. Log in to the application using any valid user name and password.

  4. Attempt to display an employee. Click Display an Employee and search for the authemp1@acme.com email address. A message displays that the user cannot be found.

  5. Add an employee. Click Add an Employee. Add the email authemp1@acme.com, the first name Joe, and the last name Doe. Click Submit. A message displays that the employee has been added.

  6. Edit the samples_home/security_extauth/client3.props file. Change the value of credentialGeneratorProps property from manager manager1 to operator operator1. After you edit the file, the servlet uses user name "operator" and password "operator1" to authenticate to the WebSphere eXtreme Scale servers.

  7. Restart the appCluster cluster to pick up the changes in the samples_home/security_extauth/client3.props file.

  8. Attempt to display an employee. Click Display an Employee and search for the authemp1@acme.com email address. The employee is displayed.

  9. Add an employee. Click Add an Employee. Add the email authemp2@acme.com, the first name Joe, and the last name Doe. Click Submit. The following message displays:

    An exception occurs when Add the employee. See below for detailed exception messages.
    

    The detailed exception text follows:

    java.security.AccessControlException: Access denied 
    (com.ibm.websphere.objectgrid.security.MapPermission Grid.Map1 insert)
    

    This message displays because the operator user does not have permission to insert data into the Map1 map.

If you are running with a version of WebSphere Application Server that is earlier than v7.0.0.11, you might see a java.lang.StackOverflowError error on the container server. This error is caused by a problem with the IBM Developer Kit. The problem is fixed in the IBM Developer Kit that is shipped with WebSphere Application Server Version 7.0.0.11 and later.


Lesson checkpoint

In this lesson, you configured authorization by assigning permissions to specific users.

< Previous | Next >


+

Search Tips   |   Advanced Search