Configure Java Authentication and Authorization Service login

Java Authentication and Authorization Service (JAAS) is a new feature in WebSphere Application Server - Express. JAAS is a collection of WebSphere Application Server - Express strategic authentication APIs for and replace the CORBA programmatic login APIs. WebSphere Application Server - Express has provided some extensions to JAAS:

• com.ibm.websphere.security.auth.WSSubject
  Due to a design oversight in JAAS V1.0, javax.security.auth.Subject.getSubject() does not return the subject associated with the thread of execution inside a java.security.AccessController.doPrivileged() code block. This presents an inconsistent behavior that is problematic and causes undesirable effort. The com.ibm.websphere.security.auth.WSSubject API provides a workaround to associate the subject to thread of execution. The com.ibm.websphere.security.auth.WSSubject API extends the JAAS authorization model to J2EE resources.

  Version 5.0.1 or later: You can retrieve the subjects in a Subject.doAs() block with the Subject.getSubject() call. However, this procedure does not work if there is an AccessController.doPrivileged() call within the Subject.doAs() block. In the following example, s1 is equal to s, but s2 is null:

  Subject.doAs(s, new PrivilegedAction() {
    public Object run() {
      System.out.println("Within Subject.doAsPrivileged()");
      Subject s1 = Subject.getSubject(AccessController.getContext());
      AccessController.doPrivileged(new PrivilegedAction() {
        public Object run() {
          Subject s2 = Subject.getSubject(AccessController.getContext());
          return null;
        }
      }
      return null;
    }
  }

• You can configure JAAS login in the WebSphere administrative console. However, WebSphere Application Server - Express still supports the default JAAS login configuration format (plan text file) that is provided by the JAAS default implementation. If there are duplicate login configurations defined in both the administrative configuration and the plan text file format, the one in the configuration takes precedence. There are advantages to defining the login configuration with the administrative console:
  • User interface support in defining JAAS login configuration.
  • You can manage the JAAS configuration login configuration centrally.

• Proxy LoginModule.
  The default JAAS implementation does not use the thread context class loader to load classes. The LoginModule can not load if the LoginModule class file is not in the application class loader or the Java extension class loader class path. Due to this class loader visibility problem, WebSphere Application Server - Express provides a proxy LoginModule to load JAAS LoginModule using the thread context class loader. You do not need to place the LoginModule implementation on the application class loader or the Java extension class loader classpath with this proxy LoginModule.

Note: Do not remove or delete the pre-defined JAAS login configurations (ClientContainer, WSLogin and DefaultPrincipalMapping). Deleting or removing them could cause other enterprise applications to fail.

Create a new JAAS login configuration

Perform these steps in the administrative console:

1. Click Security in the navigation tree.
2. Click JAAS Configuration --> Application Logins.
3. Click New. The Application Login Configuration panel appears.
4. Specify the alias name of the new JAAS login configuration and click Apply. This is the name of the login configuration that you pass in the javax.security.auth.login.LoginContext for creating a new LoginContext.
5. Click JAAS Login Modules.
6. Click New.
7. Specify the Module Classname. It is recommended that you specify WebSphere Proxy LoginModule because of the limitation of the class loader visibility problem.
8. Specify the LoginModule implementation as the delegate property of the Proxy LoginModule. The WebSphere Proxy LoginModule classname is com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy.
9. Select Authentication Strategy from the drop down list and click Apply.
10. Click Custom Properties. This will navigate to the Custom Properties panel for the selected LoginModule.
11. Create a new property with the name delegate with the value being the real LoginModule implementation. You can specify other properties like debug with value true. These properties are passed to the LoginModule as options to initialize() method of the LoginModule.

12. Click Save.

Change the plain text file

WebSphere Application Server - Express supports the default JAAS login configuration format (plain text file) provided by the JAAS default implementation. However, there is no tool provided to edit plain text file in this format. You can define the JAAS login configuration in the plain text file wsjaas.conf (which is located in the properties subdirectory of your instance root, for example /QIBM/UserData/WebASE/ASE5/instanceName/properties), any syntax errors can cause the plain JAAS Login Configuration text file to not parse correctly. This could cause other applications to fail.

Note: Do not remove or delete the pre-defined JAAS login configurations (ClientContainer, WSLogin, system.SWAM and system.LTPA). Deleting or removing them could cause other enterprise applications to fail.

For more information about editing the plain-text JAAS configuration file, see JAAS 1.0 Developer's Guide .

Restart the application servers to validate changes to the plain-text file.