Use this page to specify a list of Java Authentication and Authorization Service (JAAS) system login configurations.
Processes login requests when Integrated Cryptographic Services Facility (ICSF) is used as the authentication mechanism.
Processes inbound login requests for Remote Method Invocation (RMI), Web applications, and most of the other login protocols.
These three login configurations will pass in the following callback information, which is handled by the login modules within these configurations. These callbacks are not passed in at the same time. However, the combination of these callbacks determines how the application server authenticates the user.
callbacks[0] = new javax.security.auth.callback.
NameCallback("Username: ");
callbacks[1] = new javax.security.auth.callback.
PasswordCallback("Password: ", false);
callbacks[2] = new com.ibm.websphere.security.auth.callback.
WSCredTokenCallbackImpl("Credential Token: ");
callbacks[3] = new com.ibm.wsspi.security.auth.callback.
WSTokenHolderCallback("Authz Token List: ");
In system login configurations, the application server authenticates the user based upon the information that is collected by the callbacks. However, a custom login module does not need to act upon any of these callbacks. The following list explains the typical combinations of these callbacks:
This callback occurs for CSIv2 identity assertion, Web and CSIv2 X509 certificate logins, old-style trust association interceptor logins, and so on. In Web and CSIv2 X509 certificate logins, the application server maps the certificate to a user name. This callback is used by any login type that establishes trust with the user name only.
This combination of callbacks is typical for basic authentication logins. Most user authentications occur using these two callbacks.
com.ibm.wsspi.security.token.WSSecurityPropagationHelper.
validateLTPAToken(byte[])
com.ibm.wsspi.security.token.WSSecurityPropagationHelper.
getUserFromUniqueID(uniqueID)
com.ibm.wsspi.security.token.WSSecurityPropagationHelper.
validateLTPAToken(byte[])
callbacks[0] = new javax.security.auth.callback.
NameCallback("Username: ");
callbacks[1] = new javax.security.auth.callback.
PasswordCallback("Password: ", false);
callbacks[2] = new com.ibm.websphere.security.auth.callback.
WSCredTokenCallbackImpl("Credential Token: ");
If the attributes are added to the Subject from a pure client, then the NameCallback and PasswordCallback callbacks authenticate the information and the objects that are serialized in the token holder are added to the authenticated Subject.
A custom login module needs to handle custom serialization. For more information, see "Security attribute propagation" in the information center.
callbacks[4] = new com.ibm.websphere.security.auth.callback.
WSServletRequestCallback("HttpServletRequest: ");
callbacks[5] = new com.ibm.websphere.security.auth.callback.
WSServletResponseCallback("HttpServletResponse: ");
callbacks[6] = new com.ibm.websphere.security.auth.callback.
WSAppContextCallback("ApplicationContextCallback: ");
If you want to use security attribute propagation with the WEB_INBOUND login configuration, you can enable Web inbound security attribute propagation option on the Single sign-on panel.
When the java.util.Hashtable object is present, the login module maps the object attributes into a valid Subject. When the WSTokenHolderCallback callback is present, the login module deserializes the byte token objects and regenerates the serialized Subject contents. The java.util.Hashtable hashtable takes precedence over all of the other forms of login. Be careful to avoid duplicating or overriding what the application server might have propagated previously.
By specifying a java.util.Hashtable hashtable to take precedence over other authentication information, the custom login module must have already verified the LTPA token, if present, to establish sufficient trust. The custom login module can use the com.ibm.wsspi.security.token.WSSecurityPropagationHelper.validationLTPAToken(byte[]) method to validate the LTPA token present in the WSCredTokenCallback callback. Failure to validate the LTPA token presents a security risk.
For more information on adding a hashtable containing well-known and well-formed attributes used by the application server as sufficient login information, see "Configuring inbound identity mapping" in the information center.
Processes Remote Method Invocation (RMI) requests that are sent outbound to another server when either the com.ibm.CSI.rmiOutboundLoginEnabled or the com.ibm.CSIOutboundPropagationEnabled properties are true.
This login configuration determines the security capabilities of the target server and its security domain. For example, if the application server Version 5.1.1 or later (or 5.1.0.2 for z/OS) communicates with a Version 5.x Application Server, then the Version 5.1.1 Application Server sends the authentication information only, using an LTPA token, to the Version 5.x Application Server. However, if WebSphere Application Server Version 5.1.1 or later communicates with a Version 5.1.x Application Server, the authentication and authorization information is sent to the receiving application server if propagation is enabled at both the sending and receiving servers. When the application server sends both the authentication and authorization information downstream, the application server removes the need to access the user registry again and look up the security attributes of the user for authorization purposes. Additionally, any custom objects that are added at the sending server are present in the Subject at the downstream server.
The following callback is available in the RMI_OUTBOUND login configuration. You can use the com.ibm.wsspi.security.csiv2.CSIv2PerformPolicy object that is returned by this callback to query the security policy for this particular outbound request. This query can help determine if the target realm is different than the current realm and if the application server must map the realm. For more information, see "Configuring outbound mapping to a different target realm" in the information center.
Provides protocol-specific policy information for the login modules on this outbound invocation. This information is used to determine the level of security, including the target realm, target security requirements, and coalesced security requirements.
csiv2PerformPolicy = (CSIv2PerformPolicy)
((WSProtocolPolicyCallback)callbacks[0]).getProtocolPolicy();
A different protocol other than RMI might have a different type of policy object.
You can use a custom login module prior to this login module to perform credential mapping. However, it is recommended that the login module change the contents of the Subject that is passed in during the login phase. If this recommendation is followed, the login modules are processed after this login module acts on the new Subject contents.
For more information, see "Configuring outbound mapping to a different target realm" in the information center.
Processes login requests in a single server environment when Simple WebSphere Authentication Mechanism (SWAM) is used as the authentication method.
SWAM does not support forwardable credentials. When SWAM is the authentication method, the application server cannot send requests from server to server. In this case, you must use LTPA.
This login configuration enables you to map an ID in an Lightweight Directory Access Protocol (LDAP) user registry to a System Authorization Facility (SAF) user ID
Processes login configuration requests for Web services security using identity assertion.
This login configuration is for Version 5.x applications. For more information, see "Identity assertion authentication method" in the information center.
Processes login configuration requests for Web services security using identity assertion.
This login configuration is for Version 6.x applications.
The custom property com.ibm.wsspi.wssecurity.auth.module.IDAssertionLoginModule.disableUserRegistryCheck can be configured for the JAAS IDAssertionUsernameToken login module. This property is an option for the Web services security identity assertion JAAS login module, wssecurity.IDAssertionUsernameToken. The property indicates that the login module should not perform a user registry check when processing an inbound identity token.
Verifies an X.509 certificate with a certificate revocation list in a Public Key Cryptography Standards #7 (PKCS7) object.
This login configuration is for Version 6.x systems.
Verifies an X.509 certificate with a public key infrastructure (PKI) path.
This login configuration is for Version 6.x systems.
Processes login configuration requests for Web services security using digital signature validation.
This login configuration is for Version 5.x systems.
Verifies basic authentication (user name and password).
The custom property com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule.disableUserRegistryCheck can be configured for the JAAS UsernameToken login module. This property is an option for the Web services security UsernameToken JAAS login module, com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule. The property indicates that the login module should not perform a user registry check when processing an inbound username token.
Verifies an X.509 binary security token (BST) by checking the validity of the certificate and the certificate path.
This login configuration is for Version 6.0.x systems.
Processes login requests to components in the Web container such as servlets and JavaServer pages (JSP) files.
The com.ibm.ws.security.web.AuthenLoginModule login module is predefined in the LTPA login configuration. You can add custom login modules before or after this module in the LTPA_WEB login configuration.
The LTPA_WEB login configuration can process the HttpServletRequest object, the HttpServletResponse object, and the Web application name that are passed in using a callback handler. For more information, see "Example: Customizing a server-side Java Authentication and Authorization Service authentication and logon configuration" in the information center.
Processes login requests that are not handled by the LTPA_WEB login configuration.
This login configuration is used by WebSphere Application Server Version 5.1 and previous versions.
The com.ibm.ws.security.server.lm.ltpaLoginModule login module is predefined in the LTPA login configuration. You can add custom login modules before or after this module in the LTPA login configuration. For more information, see "Example: Customizing a server-side Java Authentication and Authorization Service authentication and logon configuration" in the information center.