In the previous lesson, you assigned individual user-based authorization with user principals in the Java™ Authentication and Authorization Service. (JAAS) authorization policy. However, when you have hundreds or thousands of users, use group-based authorization, which authorizes access based on groups instead of individual users.
Unfortunately, the Subject object that is authenticated from the WebSphere® Application Server only contains a user principal. This object does not contain a group principal. You can add a custom login module to populate the group principal into the Subject object.
For this tutorial, the custom login module is named com.ibm.websphere.samples.objectgrid.security.lm.WASAddGroupLoginModule. The module is in the groupLM.jar file. Place this JAR file in the WAS-INSTALL/lib/ext directory.
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal com.ibm.websphere.sample.xs.security.WSGroupPrincipal
"defaultWIMFileBasedRealm/cn=operatorGroup,o=defaultWIMFileBasedRealm" {
permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "read";
};
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal com.ibm.websphere.sample.xs.security.WSGroupPrincipal
"defaultWIMFileBasedRealm/cn=adminGroup,o=defaultWIMFileBasedRealm" {
permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "all";
};
The principal name is the WSGroupPrincipal, which represents the group. Use the following steps to configure the supplied com.ibm.websphere.samples.objectgrid.security.lm.WASAddGroupLoginModule login module:
In the administrative console, perform the following steps to xs1 and xs2 servers in the xsCluster. If a different deployment topology is used, perform the following steps to the application servers that host the container servers.
You can test that group authorization is configured by the login module with the sample application.
You configured groups to simplify the assignment of permission to the users of your application.