ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/secdj2c.htm

84 lines
7.7 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Develop your own J2C principal mapping module</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h3><a name="secdj2c"></a>Develop your own J2C principal mapping module</h3>
<p>WebSphere Application Server - Express provides principal mapping when Java 2 Connector (J2C) connection factory is configured to perform container managed sign-on. For example, the application server can map the caller principal to a resource principal in order to open a new connection to the backend server. With the container-managed sign-on, WebSphere Application Server - Express creates a Subject instance that contains EIS security domain credentials. A Subject object returned by a principal mapping module contains a Principal object; thus, it represents the caller identity and a PasswordCredential or a GenericCredential. WebSphere Application Server - Express provides a default principal mapping module that maps any authenticated user credentials to password credentials for the EIS security domain. The default mapping module is defined in the Application Login Configuration panel in the DefaultPrincipalMapping entry. The user ID and password for the EIS security domain is defined under each connection factory by an authDataAlias attribute container-managed authentication alias in the administrative console. The authDataAlias attribute does not actually contain the user name and password. An authDataAlias attribute contains an alias that refers to a user name and password pair that is defined in the security configuration document. Since it contains sensitive data, the security configuration document requires the most privileged administrator role for both read and write access. This indirection avoids saving sensitive user name and password in configuration documents other than the security document.</p>
<p>The J2C Connection Factory configuration contains a mapping module which defines a principal mapping module alias (mappingConfigAlias attribute) and an authentication data alias (authDataAlias attribute). At runtime the J2C managed connection factory code passes a reference of the ManagedConnectionFactory and an authDataAlias object to the configured principal mapping module via the WSPrincipalMappingCallbackHandler object. WebSphere Application Server - Express allows users to plug-in a custom principal mapping module for a connection factory if the any-authenticated-to-one mapping provided by the default principal mapping module is insufficient. A custom mapping module is a special purpose JAAS LoginModule that performs principal or credential mapping in the login method. The WSSubject.getCallerPrincipal() method can be used to retrieve the application client identity. To plug in a custom mapping module change the value of the mappingConfigAlias to the custom mapping module. However, the configuration cannot be done via the administrative console and must be done through the wsadmin scripting tool.</p>
<p>Follow these steps to configure a custom mapping module. Use the WebSphere administrative console to perform the first several steps. For more information, see <a href="../admin/ac.htm">The WebSphere administrative console</a> in the <em>Administration</em> topic. Use the wsadmin administrative tool to perform the remaining configuration. For more information about wsadmin, see <a href="../admin/wsa.htm">The wsadmin administrative tool</a> in the <em>Administration</em> topic.</p>
<ol>
<li><p>Start the WebSphere administrative console.</p></li>
<li><p>Click <strong>Security --&gt; JAAS Configuration</strong>.</p></li>
<li><p>Select <strong>Application Logins</strong>. Click <strong>New</strong>.</p></li>
<li><p>Enter a unique alias for the new mapping module, and click <strong>Apply</strong>.</p></li>
<li><p>Click <strong>JAAS Login Modules</strong> to define the custom mapping module class.</p></li>
<li><p>Click <strong>New</strong>, and complete mapping LoginModule class name.</p></li>
<li><p>Click <strong>Apply</strong>. Click <strong>Save</strong> to save the new configuration.</p></li>
<li><p>Use wsadmin to configure a J2C Connection Factory to use the new mapping module:</p>
<ol type="a">
<li><p><a href="../admin/wsarun.htm#start">Start wsadmin</a>.</p></li>
<li><p>At the wsadmin prompt, run the <tt>list</tt> command to show a list of J2CConnectionFactory objects:</p>
<pre>wsadmin&gt;$AdminConfig list J2CConnectionFactory</pre></li>
<li><p>To select the J2C Connection Factory, run the <tt>show</tt> command to show all the attributes. For example:</p>
<pre>wsadmin&gt;$AdminConfig show PetStore_CF
(cells/hillsideNetwork/nodes/hillside/servers/server1:
resources.xml#CMPConnectorFactory_4)</pre></li>
<li><p>Examine the current mapping module configuration. Run the <tt>show</tt> command:</p>
<pre>wsadmin&gt;$AdminConfig show {mapping
(cells/hillsideNetwork/nodes/hillside/servers/server1:
resources.xml#MappingModule_7)}</pre>
<p>The following shows sample results of the command:</p>
<pre>{authDataAlias {}} {mappingConfigAlias DefaultPrincipalMapping}</pre>
<p>As shown in the previous example, the J2C Connection factory is configured to use the DefaultPrincipalMapping login configuration.</p></li>
<li><p>Modify the mapping module configuration to use the new mapping module. Run the <tt>modify</tt> command:</p>
<pre>wsadmin&gt;$AdminConfig modify {mapping
(cells/hillsideNetwork/nodes/hillside/servers/server1:
resources.xml#MappingModule_7)} {{mappingConfigAlias myMappingModule}}</pre></li>
</ol>
<p>You may check the result with the <tt>show</tt> command:</p>
<pre>wsadmin&gt;$AdminConfig show {mapping
(cells/hillsideNetwork/nodes/hillside/servers/server1:
resources.xml#MappingModule_7)} {authDataAlias {}}
{mappingConfigAlias myMappingModule}</pre>
<p><strong>Note:</strong> The authDataAlias property is left undefined. In practice, the authDataAlias is passed at runtime to the custom mapping module. Using the authDataAlias property to look up user IDs and passwords requires the WebSphere Common Configuration Model (WCCM) programming interface, which is not available at this time.</p></li>
<li><p>Save your changes. Enter the <tt>save</tt> command:</p>
<pre>wsadmin&gt;save</pre></li>
</ol>
<p>This task allows you to use your own mapping module to fit your application environment. The WebSphere Application Server - Express default principal mapping module maps all authenticated user credentials to the same user ID and password credentials of the EIS security domain. The user ID and password are stored in the security configuration document and is looked up using the configured alias as a key. Your mapping module may be programmed to perform more sophisticated mapping and store passwords in other persistent storage or from a remote service.</p>
<p>To develop your own principal and credential mapping LoginModule, see <a href="http://java.sun.com/security/jaas/doc/module.html" target="_">JAAS LoginModule Developer's Guide</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center"> (http://java.sun.com/security/jaas/doc/module.html).</p>
<p>In particular, a mapping module needs to obtain the security identity of the caller. The WSSubject.getCallerPrincipal() static method returns a java.lang.String object that represents the caller's security identity. Note that the return type is different from that of the getCallerPrincipal() method of the EJBContext interface, which is java.security.Principal object.</p>
</body>
</html>