Use this topic to use the wsadmin tool to configure and
manage Java™ Authentication and Authorization Service
(JAAS) login entries to allow communication between realms in a multiple
security domain environment.
Before you begin
You must meet the following requirements before configuring
local operating system user registries:
- You must have the administrator or new admin role.
- Enable global security in your environment.
- Configure multiple realms using security domains in your environment.
Procedure
- Launch the wsadmin scripting tool using the Jython scripting
language. See the Starting the wsadmin scripting client topic for
more information.
- Configure a JAAS login module.
Use the configureJAASLoginEntry
command to configure a Java Authentication
and Authorization Service (JAAS) login entry in a security domain
or in the global security configuration. You can use this command
to modify existing JAAS login entries or to create new login entries.
Specify
the following parameters to configure the JAAS login module:
Table 1. Command parameters . Run
the configureJAASLoginEntry command to configure a JAAS login module.
Parameter |
Description |
-loginEntryAlias |
Specifies an alias that identifies the JAAS
login entry in the configuration. (String, required) |
-loginType |
Specifies the type of JAAS login entry of interest.
Specify system for the system login type or application for
the application login type. (String, required) |
-securityDomainName |
Specifies the name of the security configuration.
If you do not specify a security domain name, the system updates the
global security configuration. (String, optional) |
-loginModules |
Specifies a comma (,) separated list of login
module class names. Specify the list in the order that the system
calls them. (String, optional) |
-authStrategies |
Optionally specifies the authentication behavior
as authentication proceeds down the list of login modules. (String,
optional) Specify one or many of the following values in a comma
(,) separated list:
REQUIRED Specifies that the LoginModule module
is required to succeed. Whether authentication succeeds or fails,
the process still continues down the LoginModule list for each realm.
REQUISITE Specifies that the LoginModule module
is required to succeed. If authentication is successful, the process
continues down the LoginModule list in the realm entry. If authentication
fails, control immediately returns to the application. Authentication
does not proceed down the LoginModule list.
SUFFICIENT Specifies that the LoginModule module
is not required to succeed. If authentication succeeds, control immediately
returns to the application. Authentication does not proceed down the
LoginModule list. If authentication fails, the process continues down
the list.
OPTIONAL Specifies that the LoginModule module
is not required to succeed. Whether authentication succeeds or fails,
the process still continues down the LoginModule list.
|
Use the configureJAASLoginEntry command to configure
the JAAS login module, as the following Jython example demonstrates:
AdminTask.configureJAASLoginEntry('[-securityDomainName testDomain
-loginType application -loginEntryAlias testLoginEntry -loginModules
"com.ibm.ws.security.common.auth.module.WSLoginModuleImpl" -authStrategies "REQUIRED"]')
- Set custom properties for the JAAS login module.
Use
the configureLoginModule command to specify custom properties, modify
the authentication strategy, or set the module to use a login module
proxy. The following Jython command sets the
debug
and
delegate
custom
properties for the
testLoginEntry JAAS login entry:
AdminTask.configureLoginModule('[-securityDomainName testDomain -loginType application
-loginEntryAlias testLoginEntry -loginModule com.ibm.ws.security.common.auth.module.WSLoginModuleImpl
-customProperties ["debug=true","delegate=WSLogin"]]')
- Save your configuration changes.
Use the following command example to save your configuration
changes:
AdminConfig.save()