Implementing a custom authentication provider using JASPI
You can implement a custom authentication provider using Java™ Authentication SPI for Containers (JASPI, or sometimes called JASPIC) to handle the Java Platform, Enterprise Edition (Java EE) authentication of HTTP request and response messages destined for web applications.
Before you begin
For JASPI authentication processing to take place, application security must be enabled in the global or domain security configuration and the server must be restarted for the configuration changes to take effect. Read the Application security topic for more information.
About this task
This release of WebSphere® Application Server supports the JSR 196: Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) specification, which enables third-party security providers to handle the Java Platform, Enterprise Edition (Java EE) authentication of HTTP request and response messages destined for web applications. The JASPI specification extends the pluggable authentication concepts of the Java Authentication and Authorization Service (JAAS) to the authentication of HTTP request and response messages. When application security is enabled, and a protected web resource is accessed, the web container and the security runtime collaborate to make an authentication decision for the caller. When using a third-party JASPI provider, the authentication decision is delegated to that provider.
The JASPI specification defines standard system programming interfaces that enable developers to write a pluggable custom authentication provider that can handle Java EE web authentication mechanisms as well as any extended authentication processing. The WebSphere Application Server runtime uses these standard system programming interfaces to invoke the JASPI authentication provider. Read the Servlet Container Profile section in the JSR 196: Java Authentication Service Provider Interface for Containers specification for the requirements that third-party authentication providers must satisfy for more information.
If application security is enabled with JASPI authentication, when the web resource (such as a servlet or a JavaServer Pages (JSP) file) is accessed, the security runtime checks if the web resource is mapped to a JASPI provider defined in the security configuration. If so, the runtime invokes the JASPI authentication provider to perform authentication for the HTTP request and response messages.
To implement a custom authentication provider using JASPI you must do the following: