ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secdj2c.htm

98 lines
8.4 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Develop your own J2C principal mapping module</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h3><a name="secdj2c"></a>Develop your own J2C principal mapping module</h3>
<p>WebSphere Application Server - Express provides principal mapping when Java 2 Connector (J2C) connection factory is configured to perform container managed signon. For example, the application server can map the caller principal to a resource principal in order to open a new coonection to the backend server. With the container-managed signon, WebSphere Application Server - Express creates a Subject instance that contains EIS security domain credentials. A Subject object that is returned by a principal mapping module contains a Principal object represents the caller identity and a PasswordCredential or a GenericCredential.</p>
<p>WebSphere Application Server - Express provides a default principal mapping module that maps any authenticated user credentials to password credentials for the EIS security domain. The default mapping module is defined in the Application Login Configuration panel in the DefaultPrincipalMapping entry. The user ID and password for the EIS security domain is defined under each connection factory by an authDataAlias attribute <tt>container-managed authentication alias</tt> in the administrative console. The authDataAlias attribute does not actually contain the user name and password. An authDataAlias attribute contains an alias that refers to a user name and password pair that is defined in the security configuration document. Since it contains sensitive data, the security configurtion document requires the most privileged administrator role for both read and write access. This indirection avoids saving sensitive user name and password in configuration documents other than the security document.</p>
<p>The J2C Connection Factory configuration contains a mapping module which defines a principal mapping module alias (mappingConfigAlias attribute) and an authentication data alias (authDataAlias attribute). At runtime the J2C managed connection factory code passes a reference of the ManagedConnectionFactory and an authDataAlias object to the configured principal mapping module via the WSPrincipalMappingCallbackHandler object. WebSphere Application Server - Express allows users to plug-in a custom principal mapping module for a connection factory if the any-authenticated-to-one mapping provided by the default principal mapping module is insufficient. A custom mapping module is a special purpose JAAS LoginModule that perform principal or credential mapping in the login method. The WSSubject.getCallerPrincipal() method can be used to retrieve the application client identity. Plugging in a custom mapping module is very simple. Change the value of the mappingConfigAlias to the custom mapping module. Configuration can be performed with either the administrative console or the wsadmin scripting tool.</p>
<p>Follow these steps to configure a custom mapping module:</p>
<ol>
<li><p>Start the administrative console. To add a custom mapping module for an application server, click <strong>Servers --&gt; Application Servers</strong>. Click the name of your server.</p></li>
<li><p>Click <strong>Security --&gt; JAAS Configuration</strong>.</p></li>
<li><p>Select <strong>JAAS Configuration and Application Login</strong>. Click <strong>New</strong>.</p></li>
<li><p>Enter a unique alias for the new mapping module, and click <strong>Apply</strong>.</p></li>
<li><p>Click <strong>JAAS Login Modules</strong> to define the custom mapping module class.</p></li>
<li><p>Click <strong>New</strong>, and complete mapping LoginModule class name.</p></li>
<li><p>Click <strong>Apply</strong>. Click <strong>Save</strong> to save the new configuration.</p></li>
<li><p>Configure a J2C Connection Factory to use the new mapping module. You can use either the administrative console or wsadmin to do this:</p>
<ul>
<li><p>If you use the administrative console, perform the following steps:</p>
<ol type="a">
<li>Click <strong>Resources</strong> --&gt; <strong>Resource Adapters</strong> --&gt; <strong><em>resource_adapter</em></strong>, where <em>resource_adapter</em> is the name of your resource adapter.</li>
<li>Under <strong>Additional Properties</strong>, click <strong>CMP Connection Factories</strong>.</li>
<li>Click the name of your connection factory.</li>
<li>Enter the resource name, Java Naming and Directory Interface (JNDI) name, a description of the resource, and a category in which to classify the resource.</li>
<li>Click <strong>OK</strong>.</li>
<li>Click <strong>Save</strong> in the upper-left section of the administrative console to save your configuration changes.</li>
</ol><p></p></li>
<li><p>If you use wsadmin, perform the following steps:</p>
<ol type="a">
<li><p>At the wsadmin prompt, run the <tt>list</tt> command to show a list of J2CConnectionFactory objects:</p>
<pre>wsadmin&gt;$AdminConfig list J2CConnectionFactory</pre></li>
<li><p>To select the J2C Connection Factory, run the <tt>show</tt> command to show all the attributes. For example:</p>
<pre>wsadmin&gt;$AdminConfig show PetStore_CF
(cells/hillsideNetwork/nodes/hillside/servers/myserver:
resources.xml#CMPConnectorFactory_4)</pre></li>
<li><p>Examine the current mapping module configuration. Run the <tt>show</tt> command:</p>
<pre>wsadmin&gt;$AdminConfig show {mapping
(cells/hillsideNetwork/nodes/hillside/servers/myserver:
resources.xml#MappingModule_7)}</pre>
<p>The following shows sample results of the command:</p>
<pre>{authDataAlias {}} {mappingConfigAlias DefaultPrincipalMapping}</pre>
<p>As shown in the previous example, the J2C Connection factory is configured to use the DefaultPrincipalMapping login configuration.</p></li>
<li><p>Modify the mapping module configuration to use the new mapping module. Run the <tt>modify</tt> command:</p>
<pre>wsadmin&gt;$AdminConfig modify {mapping
(cells/hillsideNetwork/nodes/hillside/servers/myserver:
resources.xml#MappingModule_7)} {{mappingConfigAlias myMappingModule}}</pre></li>
<li><p>You may check the result with the <tt>show</tt> command:</p>
<pre>wsadmin&gt;$AdminConfig show {mapping
(cells/hillsideNetwork/nodes/hillside/servers/myserver:
resources.xml#MappingModule_7)} {authDataAlias {}}
{mappingConfigAlias myMappingModule}</pre>
<p><strong>Note:</strong> The authDataAlias property is left undefined. In practice, the authDataAlias is passed at runtime to the custom mapping module. Using the authDataAlias property to look up user IDs and passwords requires the WebSphere Common Configuration Model (WCCM) programming interface, which is not available at this time.</p></li>
<li><p>Save your changes. Enter the <tt>save</tt> command:</p>
<pre>wsadmin&gt;save</pre></li>
</ol></li>
</ul></li>
</ol>
<p>This task allows you to use your own mapping module to fit your application environment. The WebSphere Application Server - Express default principal mapping module maps all authenticated user credentials to the same user ID and password credentials of the EIS security domain. The user ID and password are stored in the security configuration document and is looked up using the configured alias as a key. Your mapping module may be programmed to perform more sophisticated mapping and store passwords in other persistent storage or from a remote service.</p>
<p>To develop your own principal and credential mapping LoginModule, see <a href="http://java.sun.com/security/jaas/doc/module.html" target="_">JAAS LoginModule Developer's Guide</a> <img src="www.gif" width="18" height="15" alt="Link outside Information Center"> (http://java.sun.com/security/jaas/doc/module.html).</p>
<p>In particular, a mapping module needs to obtain the security identity of the caller. The WSSubject.getCallerPrincipal() static method returns a java.lang.String object that represents the caller's security identity. Note that the return type is different from that of the getCallerPrincipal() method of the EJBContext interface, which is a java.security.Principal object.</p>
</body>
</html>