System login configuration entry settings for Java Authentication and
Authorization ServiceUse this page to specify a list of Java Authentication and Authorization Service (JAAS) system login configurations.
To view this administrative console page, click Security > JAAS Configuration > System logins.
Read Java Authentication and Authorization Service before you begin defining additional login modules for authenticating to the WebSphere Application Server security run time. Do not remove the following system login modules:
These three login configurations can pass in the following callback information, which is handled by the login modules within these configurations. These callbacks are not passed in at the same time. However, the combination of these callbacks determines how WebSphere Application Server authenticates the user.
callbacks[0] = new javax.security.auth.callback.
NameCallback("Username: ");
callbacks[1] = new javax.security.auth.callback.
PasswordCallback("Password: ", false);
callbacks[2] = new com.ibm.websphere.security.auth.callback.
WSCredTokenCallbackImpl("Credential Token: ");
callbacks[3] = new com.ibm.wsspi.security.auth.callback.
WSTokenHolderCallback("Authz Token List: ");
Note: This callback is present only when the Security Attribute Propagation option is enabled and this login is a propagation login. In a propagation login, (sufficient security attributes are propagated with the request to prevent having to access the user registry for additional attributes.
In system login configurations, WebSphere Application Server authenticates the user based upon the information collected by the callbacks. However, a custom login module does not need to act upon any of these callbacks. The following list explains the typical combinations of these callbacks:
This callback occurs for CSIv2 Identity Assertion; Web and CSIv2 X509 certificate logins; old-style trust association interceptor logins, and so on. In Web and CSIv2 X509 certificate logins, WebSphere Application Server maps the certificate to a user name. This callback is used by any login type that establishes trust using the user name only.
This combination of callbacks is typical for basic authentication logins. Most user authentications occur using these two callbacks.
This callback is used to validate a Lightweight Third Party Authentication (LTPA) token. This validation typically occurs during an single sign-on (SSO) or downstream login. Any time a request originates from a WebSphere Application Server, instead of a pure client, the LTPA token typically flows to the target server. For single signon (SSO), the LTPA token is received in the cookie and the token is used for login. If a custom login module needs the user name from an LTPA token, the module can use the following method to retrieve the uniqueID from the token:
com.ibm.wsspi.security.token.WSSecurityPropagationHelper. validateLTPAToken(byte[])After retrieving the uniqueID, use the following method to get the user name:
com.ibm.wsspi.security.token.WSSecurityPropagationHelper. getUserFromUniqueID(uniqueID)
Note: Any time a custom login module is plugged in ahead of the WebSphere Application Server login modules and it changes the identity using the credential mapping services, it is important that this login module validates the LTPA token, if present. Calling the following method is sufficient to validate the trust in the LTPA token:
com.ibm.wsspi.security.token.WSSecurityPropagationHelper. validateLTPAToken(byte[])The receiving server must have the same LTPA keys as the sending server in order for this to be successful. There is a possible security exposure if you do not validate this LTPA token, when present.
This callback indicates that some propagated attributes have arrived at the server. The propagated attributes still require one of the following authentication methods:
callbacks[0] = new javax.security.auth.callback.
NameCallback("Username: ");
callbacks[1] = new javax.security.auth.callback.
PasswordCallback("Password: ", false);
callbacks[2] = new com.ibm.websphere.security.auth.callback.
WSCredTokenCallbackImpl("Credential Token: ");
If the attributes are added to the Subject from a pure client, then the NameCallback and PasswordCallback callbacks authenticate the information and the objects that are serialized in the token holder are added to the authenticated Subject.
If both CSIv2 identity assertion and propagation are enabled, WebSphere Application Server uses the NameCallback callback and the token holder, which contains all of the propagated attributes, to deserialize most of the objects. WebSphere Application Server uses the NameCallback callback because trust is established with the servers that you indicate in the CSIv2 trusted server list. To specify trusted servers, click Security > Authentication protocol > CSIv2 Inbound authentication.
Custom serialization needs to be handled by a custom login module only. For more information, see "Security attribute propagation".
In addition to the callbacks that aredefined previously, the WEB_INBOUND login configuration can contain the following additional callbacks only:
callbacks[4] = new com.ibm.websphere.security.auth.callback.
WSServletRequestCallback("HttpServletRequest: ");
callbacks[5] = new com.ibm.websphere.security.auth.callback.
WSServletResponseCallback("HttpServletResponse: ");
callbacks[6] = new com.ibm.websphere.security.auth.callback.
WSAppContextCallback("ApplicationContextCallback: ");
The following login modules are predefined for the RMI_INBOUND, WEB_INBOUND, and DEFAULT system login configurations. You can add custom login modules before, between, or after any of these login modules, but you cannot remove these predefined login modules.
This login module performs the primary login when attribute propagation is either enabled or disabled. A primary login uses normal authentication information such as a user ID and password; an LTPA token; or a trust association interceptor (TAI) and a certificate distinguished name (DN). If any of the following scenarios are true, this login module is not used and the com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule module performs the primary login:
This login module performs the primary login using the normal authentication information if any of the following conditions are true:
When the java.util.Hashtable object is present, the login module maps the object attributes into a valid Subject. When WSTokenHolderCallback is present, the login module deserializes the byte token objects and regenerates the serialized Subject contents. The java.util.Hashtable takes precedence over all of the other forms of login. Thus, be careful to avoid duplicating or overriding what WebSphere Application Server might have propagated previously. By specifying a java.util.Hashtable to take precedence over other authentication information, the custom login module must have already verified the LTPA token, if present, to establish sufficient trust. The custom login module can use the com.ibm.wsspi.security.token.WSSecurityPropagationHelper.validationLTPAToken(byte[]) method to validate the LTPA token present in the WSCredTokenCallback. Failure to validate the LTPA token presents a security risk.
For more information on adding a Hashtable containing well-known and well-formed attributes used by WebSphere Application Server as sufficient login information, see "Configuring inbound identity mapping".
These properties are set in the CSIv2 authentication panel. To access the panel, click Security > Authentication protocol > CSIv2 Outbound authentication. To set the com.ibm.CSI.rmiOutboundLoginEnabled property, select Custom outbound mapping. To set the com.ibm.CSIOutboundPropagationEnabled property, select the Security attribute propagation option.
This login configuration determines the security capabilities of the target server and its security domain. For example, if WebSphere Application Server Version 5.1.1 communicates with a version 5.x Application Server, then the Version 5.1.1 application server sends the authentication information only, using an LTPA token, to the version 5.x Application Server. However, if WebSphere Application Server Version 5.1.1 communicates with a Version 5.1.x Application Server, the authentication and authorization information is sent to the receiving application server if propagation is enabled at both the sending and receiving servers. When the application server sends both the authentication and authorization information downstream, it removes the need to re-access the user registry and look up the security attributes of the user for authorization purposes. Additionally, any custom objects added at the sending server should be present in the Subject at the downstream server.
The following callback is available to in the RMI_OUTBOUND login configuration. You can use the com.ibm.wsspi.security.csiv2.CSIv2PerformPolicy object that is returned by this callback to query the security policy for this particular outbound request. This query can help determine if the target realm is different than the current realm and if WebSphere Application Server must map the realm. For more information, see "Configuring outbound mapping to a different target realm".
Provides protocol-specific policy information for the login modules on this outbound invocation. This information is used to determine the level of security, including the target realm, target security requirements, and coalesced security requirements.
The following method obtains the CSIv2PerformPolicy from this specific login module:
csiv2PerformPolicy = (CSIv2PerformPolicy) ((WSProtocolPolicyCallback)callbacks[0]).getProtocolPolicy();
A different protocol other than RMI might have a different type of policy object.
The following login module is predefined in the RMI_OUTBOUND login configuration. You can add custom login modules before, between, or after any of these login modules, but you cannot remove these predefined login modules.
You can use a custom login module prior to this login module to perform credential mapping. However, it is recommended that the login module change the contents of the Subject that is passed in during the login phase. If this recommendation is followed, the login modules processed after this login module act on the new Subject contents.
For more information, see " Configuring outbound mapping to a different target realm".
SWAM does not support forwardable credentials. When SWAM is the authentication method, WebSphere Application Server cannot send requests from server to server. In this case, you must use LTPA.
This login configuration is used by WebSphere Application Server Version 5.1. This login configuration was introduced in version 5.1 and is no longer used in version 5.1.1.
The com.ibm.ws.security.web.AuthenLoginModule login module is predefined in the LTPA login configuration. You can add custom login modules before or after this module in the LTPA_WEB login configuration.
The LTPA_WEB login configuration can process the HttpServletRequest object, the HttpServletResponse object, and the Web application name that are passed in using a callback handler. For more information, see "Customizing a server-side Java Authentication and Authorization Service authentication and login configuration" in the documentation.
This login configuration is used by WebSphere Application Server Version 5.1 and previous versions.
The com.ibm.ws.security.server.lm.ltpaLoginModule login module is pre-defined in the LTPA login configuration. You can add custom login modules before or after this module in the LTPA login configuration. For more information, see "Customizing a server-side Java Authentication and Authorization Service authentication and login configuration" in the documentation.