Lesson 4.2: Enable user-based authorization
In the authentication module of this tutorial, you created two users: operator1 and admin1. You can assign varying permissions to these users with Java™ Authentication and Authorization Service (JAAS) authorization.
Defining the Java Authentication and Authorization Service (JAAS) authorization policy using user principals
About this task
Procedure
Edit the JAAS authorization file.
The xsAuth2.policy
file is in the samples_home/security
directory:
grant codebase http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction
Principal com.ibm.ws.security.common.auth.WSPrincipalImpl "defaultWIMFileBasedRealm/operator1" {
permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "read";
};
grant codebase http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction
Principal com.ibm.ws.security.common.auth.WSPrincipalImpl "defaultWIMFileBasedRealm/admin1" {
permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "all";
};
In this file, the
http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction codebase
is a specially reserved URL for ObjectGrid. All ObjectGrid permissions that are granted to
principals should use this special code base. The following permissions are assigned in this file: - The first grant statement grants read map permission to the operator1 principal. The operator1 user has only map read permission to the Map1 map the Grid ObjectGrid instance.
- The second grant statement grants all map permission to the admin1 principal. The admin1 user has all permissions to the Map1 map in the Grid ObjectGrid instance.
- The principal name is defaultWIMFileBasedRealm/operator1, but not Operator1. WebSphere® Application Server automatically adds the realm name to the principal name when federated repositories are used as the user account registry. Adjust this value if needed.
Setting the JAAS authorization policy file using JVM properties
About this task
Procedure
Running the sample application to test authorization
About this task
Procedure
Results
Lesson checkpoint
In this lesson, you configured authorization by assigning permissions to specific users.