Configure Java Authentication and Authorization Service login

Java Authentication and Authorization Service (JAAS) is a collection of authentication APIs for programmatic login. WebSphere Application Server - Express has provided some extensions to JAAS:

• com.ibm.websphere.security.auth.WSSubject
  Due to a design oversight in the JAAS Version 1.0 specification, javax.security.auth.Subject.getSubject() does not return the subject associated with the thread of execution inside a java.security.AccessController.doPrivileged() code block. This presents an inconsistent behavior that is problematic and causes undesirable effort. The com.ibm.websphere.security.auth.WSSubject API provides a workaround to associate the subject to thread of execution. The com.ibm.websphere.security.auth.WSSubject API extends the JAAS authorization model to J2EE resources.

  You can retrieve the subjects in a Subject.doAs() block with the Subject.getSubject() call. However, this procedure does not work if there is an AccessController.doPrivileged() call within the Subject.doAs() block. In the following example, s1 is equal to s, but s2 is null:

  Subject.doAs(s, new PrivilegedAction() {
    public Object run() {
      System.out.println("Within Subject.doAsPrivileged()");
      Subject s1 = Subject.getSubject(AccessController.getContext());
      AccessController.doPrivileged(new PrivilegedAction() {
        public Object run() {
          Subject s2 = Subject.getSubject(AccessController.getContext());
          return null;
        }
      }
      return null;
    }
  }

  The AccessController.doPrivileged() method not only truncates the Subject propagation and reduces the permissions, it does not include the JAAS security policy that is defined for the principals within the Subject object.

• Configuration with the console
  You can configure JAAS login in the administrative console. However, WebSphere Application Server - Express still supports the default JAAS login configuration format (plain text file) that is provided by the JAAS default implementation. If there are duplicate login configurations defined in both the administrative configuration and the plain text file format, the one in the administrative configuration takes precedence.

• Proxy LoginModule
  The default JAAS implementation does not use the thread context class loader to load classes. The LoginModule cannot load if the LoginModule class file is not in the application class loader or the Java extension class loader class path. Due to this class loader visibility problem, WebSphere Application Server - Express provides a proxy LoginModule to load JAAS LoginModule using the thread context class loader. You do not need to place the LoginModule implementation on the application class loader or the Java extension class loader classpath with this proxy LoginModule.

Predefined JAAS login configurations are provided for applications to use. You can view the configurations in the WebSphere administrative console. Expand Security --> JAAS Configuration, and click Application Login. The following JAAS login configurations are available for use:

• WSLogin
  Defines a login configuration and a LoginModule implementation that applications can use, in general.

• DefaultPrincipalMapping
  Defines a special LoginModule module that is typically used by Java 2 Connector to map an authenticated WebSphere user identity to a set of user authentication data (user ID and password) for the specified back-end enterprise information system. For more information about Java 2 Connector and the DefaultMappingModule module, see Configure Java 2 security.

Note: Do not remove or delete the pre-defined JAAS login configurations. Deleting or removing them could cause other enterprise applications to fail.

A new JAAS login configuration can be added and modified using the administrative console. An application server restart is required for the changes to take effect at run time.

There are several locations within the WebSphere Application - Express Server directory structure where you can place a JAAS login module. The following list provides locations for the JAAS login module in order of recommendation:

• Within an Enterprise Archive (EAR) file for a specific Java 2 Enterprise Edition (J2EE) application.
  If you place the login module within the EAR file, it is accessible to the specific application only.

• In the WebSphere Application Server - Express shared library.
  If you place the login module in the shared library, you must specify which applications can access the module. For more information on shared libraries, see Administer shared libraries in the Administration topic.

Perform these steps in the administrative console to configure a new JAAS login:

1. Click Security in the navigation tree.
2. Click JAAS Configuration --> Application Logins.
3. Click New. The Application Login Configuration panel appears.
4. Specify the alias name of the new JAAS login configuration and click Apply. This is the name of the login configuration that you pass in the javax.security.auth.login.LoginContext for creating a new LoginContext.
5. Click JAAS Login Modules.
6. Click New.
7. Specify the Module Classname. It is recommended that you specify WebSphere Proxy LoginModule because of the limitation of the class loader visibility problem.
8. Specify the LoginModule implementation as the delegate property of the Proxy LoginModule. The WebSphere Proxy LoginModule classname is com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy.
9. Select Authentication Strategy from the drop down list and click Apply.
10. Click Custom Properties. This will navigate to the Custom Properties panel for the selected LoginModule.
11. Create a new property with the name delegate with the value being the real LoginModule implementation. You can specify other properties like debug with value true. These properties are passed to the LoginModule as options to initialize() method of the LoginModule.

12. Click Save.

Change the plain text file

WebSphere Application Server - Express supports the default JAAS login configuration format (plain text file) provided by the JAAS default implementation. However, there is no tool provided to edit plain text files in this format. You can define the JAAS login configuration in the plain text file wsjaas.conf (which is located in the properties subdirectory of your instance root, for example /QIBM/UserData/WebASE51/ASE/instance/properties), any syntax errors can cause the plain JAAS Login Configuration text file to not parse correctly. This could cause other applications to fail.

Java client programs that use JAAS for authentication must be invoked with a JAAS configuration file specified. This configuration file is set in the launchClient script. If the launchClient script is not used to invoke the Java client program, ensure that the appropriate JAAS configuration file is passed to the Java virtual machine with the -Djava.security.auth.login.config flag.

For more information about editing the plain-text JAAS configuration file, see JAAS 1.0 Developer's Guide .

Restart the application servers to validate changes to the plain text file.