Login configuration for Java Authentication and Authorization Service

Java Authentication and Authorization Service (JAAS) is a new feature in WebSphere Application Server. JAAS is WebSphere Application Server strategic application programming interface (API) for authentication that replaces the Common Object Request Broker Architecture (CORBA) programmatic login API.

WebSphere Application Server provides some extensions to JAAS:

Tip: Do not remove or delete the predefined JAAS login configurations (ClientContainer, WSLogin and DefaultPrincipalMapping). Deleting or removing them can cause other enterprise applications to fail.

A system administrator determines the authentication technologies, or login modules, to use for each application and configures them in a login configuration. The source of the configuration information, for example, a file or a database, is up to the current javax.security.auth.login.Configuration implementation. The WebSphere Application Server implementation permits the definition of the login configuration in both the WebSphere Application Server configuration API security document and in a JAAS configuration file, where the former takes precedence.

JAAS login configurations are defined in the API security document for WebSphere Application Server configuration for applications to use. To access the configurations, complete the following steps:
  1. Click Security > Global security.
  2. Under Authentication, click JAAS configuration > Application logins.

The WSLogin module defines a login configuration and the LoginModule implementation that can be used by applications in general.

The ClientContainer module defines a login configuration and the LoginModule implementation that is similar to the WSLogin module, but enforces the requirements of the WebSphere Application Server client container.

The DefaultPrincipalMapping module defines a special LoginModule that is typically used by Java 2 Connector to map an authenticated WebSphere Application Server user identity to a set of user authentication data (user ID and password) for the specified back-end enterprise information system (EIS). For more information about Java 2 Connector and the DefaultMappingModule, see the Java 2 Security section.

A new JAAS login configuration can be added and modified using the administrative console. The changes are saved in the cell-level security document and are available to all managed application servers. An application server restart is required for the changes to take effect at runtime and for the client container login configuration to be made available.

WebSphere Application Server also reads JAAS configuration information from the wsjaas.conf file under the properties subdirectory of the root directory under which WebSphere Application Server is installed. Changes made to the wsjaas.conf file are used only by the local application server and take effect after the application server restarts. The JAAS configuration in the WebSphere Application Server configuration API security document takes precedence over that defined in the wsjaas.conf file. A configuration entry in the wsjaas.conf is overridden by an entry of the same alias name in the WebSphere Application Server configuration API security document.

The Java Authentication and Authorization Service (JAAS) login configuration entries in the administrative console are propagated to the server runtime when they are created, not when the configuration is saved. However, the deleted JAAS login configuration entries are not removed from the server runtime. To remove the entries, save the new configuration, then stop and restart the server.

Example

The Samples Gallery provides a JAAS login sample that demonstrates how to use JAAS with WebSphere Application Server. The sample uses a server-side login with JAAS to authenticate a user with the security runtime for WebSphere Application Server. The sample demonstrates the following technology:
  • Java 2 Platform, Enterprise Edition (J2EE) Java Authentication and Authorization Service (JAAS)
  • JAAS for WebSphere Application Server
  • WebSphere Application Server security
The form login sample is a component of the technology samples. For more information on how to access the form login sample, see Accessing Samples.



Related concepts
[z/OS] Accessing Samples
Related tasks
[z/OS] Enabling pluggable login modules to map J2EE identities to System Authorization Facility (SAF)
Configuring programmatic logins for Java Authentication and Authorization Service
Related reference
[z/OS] z/OS System Authorization Facility authorization
Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 9:31:45 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=rseclogmod
File name: rsec_logmod.html