Lesson 4.2: Enable user-based authorization

In the authentication module of this tutorial, you created two users: operator1 and admin1. You can assign varying permissions to these users with Java™ Authentication and Authorization Service (JAAS) authorization.

Defining the Java Authentication and Authorization Service (JAAS) authorization policy using user principals

About this task

You can assign permissions to the users that you previously created. Assign the operator1 user read permissions only to all maps. Assign the admin1 user all permissions. Use the JAAS authorization policy file to grant permissions to principals.

Procedure

Edit the JAAS authorization file.
The xsAuth2.policy file is in the samples_home/security directory:
grant codebase http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction
Principal com.ibm.ws.security.common.auth.WSPrincipalImpl "defaultWIMFileBasedRealm/operator1" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "read";
};

grant codebase http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction
Principal com.ibm.ws.security.common.auth.WSPrincipalImpl "defaultWIMFileBasedRealm/admin1" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "all";
};
In this file, the http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction codebase is a specially reserved URL for ObjectGrid. All ObjectGrid permissions that are granted to principals should use this special code base. The following permissions are assigned in this file:
  • The first grant statement grants read map permission to the operator1 principal. The operator1 user has only map read permission to the Map1 map the Grid ObjectGrid instance.
  • The second grant statement grants all map permission to the admin1 principal. The admin1 user has all permissions to the Map1 map in the Grid ObjectGrid instance.
  • The principal name is defaultWIMFileBasedRealm/operator1, but not Operator1. WebSphere® Application Server automatically adds the realm name to the principal name when federated repositories are used as the user account registry. Adjust this value if needed.

Setting the JAAS authorization policy file using JVM properties

About this task

Use the following steps to set JVM properties for the xs1 and xs2 servers, which are in the xsCluster cluster. If you are using a topology that is different from the sample topology that is used in this tutorial, set the file on all of your container servers.

Procedure

  1. In the administrative console, click Servers > Application servers > server_name > Java and Process Management > Process definition > Java Virtual Machine.
  2. Add generic JVM arguments.
    Note: When containers are running in WebSphere Application Server, you cannot use the -Djava.security.policy argument because this file overrides the WebSphere Application Server administrative access authorization. Therefore, use -Djava.security.auth.policy to set the JAAS authorization policy.

    Enter the following generic JVM arguments or replace the -Djava.security.auth.policy entry with the following text:

    -Djava.security.auth.policy=samples_home/security/xsAuth2.policy
  3. Click OK and save your changes.

Running the sample application to test authorization

About this task

You can use the sample application to test the authorization settings. The administrator user continues to have all permissions in the Map1 map, including displaying and adding employees. The operator user should only be able to view employees because that user was assigned read permission only.

Procedure

  1. Restart all of the application servers that are running container servers.
  2. Open the EmployeeManagementWeb application.
    In a web browser, open http://<host>:<port>/EmployeeManagementWeb/management.jsp.
  3. Log in to the application as an administrator.
    Use the user name admin1 and password admin1.
  4. Attempt to display an employee.
    Click Display an Employee and search for the authemp1@acme.com email address. A message displays that the user cannot be found.
  5. Add an employee.
    Click Add an Employee. Add the email authemp1@acme.com, the first name Joe, and the last name Doe. Click Submit. A message displays that the employee has been added.
  6. Log in as the operator user.
    Open a second Web browser window and open http://<host>:<port>/EmployeeManagermentWeb/management.jsp. Use the user name operator1 and password operator1.
  7. Attempt to display an employee.
    Click Display an Employee and search for the authemp1@acme.com email address. The employee is displayed.
  8. Add an employee.
    Click Add an Employee. Add the email authemp2@acme.com, the first name Joe, and the last name Doe. Click Submit. The following message displays: 
    An exception occurs when Add the employee. See below for detailed exception messages.
    The following exception is in the exception chain:
    java.security.AccessControlException: Access denied 
(com.ibm.websphere.objectgrid.security.MapPermission Grid.Map1 insert)
    This message displays because the operator1 user does not have permission to insert data into the Map1 map.

Results

If you are running with a version of WebSphere Application Server that is earlier than Version 7.0.0.11, you might see a java.lang.StackOverflowError error on the container server. This error is caused by a problem with the IBM Developer Kit. The problem is fixed in the IBM Developer Kit that is shipped with WebSphere Application Server Version 7.0.0.11 and later.

Lesson checkpoint

In this lesson, you configured authorization by assigning permissions to specific users.