Writing a custom System Authorization Facility (SAF) mapping module with non-local operating system

You can customize Java™ Authentication and Authorization (JAAS) login configurations by writing a customized login mapping module.

Before you begin

The WebSphere® Application Server ltpaLoginModule module and the AuthenLoginModule module use the shared state to save state information with the capability to allow LoginModules can modify state information. The ltpaLoginModule initializes the callback array in the login() method using the following code. The callback array is created by ltpaLoginModule only if an array is not defined in the shared state area.

Note: If you are using the SAF distributed identity mapping feature, you do not need to configure a mapping module.

About this task

If a non-local operating system registry is configured and the Authorization option is selected, you must install a mapping class followed by the com.ibm.ws.security.common.auth.module.MapPlatformSubject login module. A sample mapping class, com.ibm.websphere.security.SampleSAFMappingModule, is shipped with WebSphere Application Server and can be used as a starting point. The mapping class must be placed in the JAAS configuration to provide mapping from a registry other than local operating system to a SAF user ID prior to enabling administrative security. The Authorization option is accessible by completing the following steps:

Procedure

Click Security > Global security.
Under Additional properties, click z/OS® SAF properties.

What to do next

See other articles about JAAS and SAF.