WSCredential and virtual member manager access control

The WebSphere Application Server authentication process is based on the mechanism defined in javax.security.auth.login.LoginContext. In this authentication process, WebSphere Application Server provides a login module which implements the javax.security.auth.spi.LoginModule SPI interface. The login module is responsible for authenticating login principals.

WebSphere Application Server LoginModule is configured in the javax.security.auth.login.Configuration Java class with the WebSphere Application Server-defined name WSLogin. To start the authentication process, a new javax.security.auth.login.LoginContext object is instantiated with the LoginModule name WSLogin. With this specified name, the WebSphere Application Server LoginModule is invoked to call user registry APIs to authenticate the login principal. The WebSphere Application Server LoginModule may by-pass the call to the user registry, if the identifier and group membership has already been supplied as part of a Trust Authority Interceptor (TAI). The unique identifier of the subject is stored in the WSCredential of the subject. Virtual member manager instance based access control relies on the unique identifier of the principal and the group membership to determine role mapping and rule based access. The identifiers can come from the following sources:

Authentication rules

Because virtual member manager manages the login accounts, as well as, provides a User Registry interface to authenticate users, virtual member manager sees the user as both a subject and a resource. The virtual member manager instance based access control engine allows an authenticated subject authorized access to the resources in virtual member manager. In some cases the subject and the resource are the same. The following is an example of a self-care password rule:

The rule assumes that virtual member manager is configured as the User Registry for WebSphere Application Server authentication. However, you can use other forms of authentication (CUR, LDAP UR, TAI plug-in) that might not be using virtual member manager identifiers. If this occurs and the same repository used by the non-virtual member manager authentication method is also configured under virtual member manager as a virtual member manager repository, then the account object used to build the subject is known to virtual member manager.

If virtual member manager access control policy is built with the identifiers from the non-virtual member manager authentication platform, the virtual member manager role-based access control works, but rule-based access policy involving the Person or the Account objects are not granted permissions.

Rule-based conditional permissions containing virtual member manager resources as the subject (for example, if subject is the owner or if subject the manager) are granted, if virtual member manager compatible identifiers for the principal are used in WSCredential. Rule-based access to virtual member manager resources is available only when all the following conditions exist:
  • virtual member manager is configured as the user registry , or as the alternate user registry.
  • virtual member manager is configured to have the same identifiers (for example LDAP user registry is configured as a repository using DN as the identifier).
  • virtual member manager is configured with a realm that contains the same LDAP server identified by the DN.


Terms of use | Feedback