+

Search Tips   |   Advanced Search

Reuse group information

During the authentication of a user, IBM WebSphere Application Server stores information about which groups users belong to. This information is static for the authentication session of the user.

In addition, group information can be provided by an External Security Manager via a Trust Association Interceptor. In this case, WAS does not load the information on its own. IBM WebSphere Portal can participate in this flow and reuse the information from the WAS security context instead of retrieving it from the LDAP server. This function is also referred to as group assertion.

To prevent modifying existing behavior of the environment or losing existing group information, WebSphere Portal does not reuse group information by default. We must configure Portal to reuse group information from the WAS security context. We can choose to reuse group information for user management or for access control. Reusing group information for user management...

  • Results in all components of WebSphere Portal benefiting from the faster group membership lookup.

    During the authentication session, the membership of the current user is based on the information provided by WAS. This reuse of information reduces load on the LDAP server, increases authentication performance, and results in the ability to define group membership at the authentication layer.

  • Enables the system to react on possible per request changes of the WebSphere Security context.

    By default the Security context is not modifiable during an authentication session. However,WAS provides plug points, which allow the execution of a Trust Association Interceptor on every request, which could be used to establish a new security Subject on every request. In this case Portal Access Control would be able to work with the updated subject information and would build a dynamic environment. However, this option requires more system resources, custom extensions to WAS security and impacts performance.

The recommended option is for user management, as this case provides the performance and functional enhancements. The second option for access control is used in specific scenarios, typically as directed by IBM Support or IBM technical documentation.

Do not combine both options as this leads to high CPU load on the system.


To reuse group information

  1. Log on to the WAS console and go to...

      Resources | Resource Environment | Resource Environment Providers

  2. Choose the appropriate options to reuse group information:

    • To reuse group information for user management, the first option used typically as an enhancement...

      1. Select the WP_PumaStoreService resource environment provider.

      2. Select Custom properties.

      3. Click New.

      4. Enter store.puma_default.filter.assertionFilter.classname in the Name field.

      5. Enter com.ibm.wps.um.AssertionFilter in the Value field.

      6. Click Apply.

      7. Click Save to save the changes to the master configuration.

    • To reuse group information for access control...

      1. Select the WP PACGroupManagementService resource environment provider.

      2. Select Custom properties.

      3. Click New.

      4. Enter accessControlGroupManagement.useWSSubject in the Name field.

      5. Enter true in the Value field.

      6. Click Apply.

      7. Click Save to save the changes to the master configuration.

  3. Log out of the WAS console.

  4. Restart the WebSphere_Portal server.


Parent Administering