Lesson 4.3: Configure group-based authorization
In the previous lesson, you assigned individual user-based authorization with user principals in the Java™ Authentication and Authorization Service. (JAAS) authorization policy. However, when you have hundreds or thousands of users, use group-based authorization, which authorizes access based on groups instead of individual users.
About this task
Unfortunately, the Subject object that is authenticated from the WebSphere® Application Server only contains a user principal. This object does not contain a group principal. You can add a custom login module to populate the group principal into the Subject object.
For this tutorial, the custom login module is named com.ibm.websphere.samples.objectgrid.security.lm.WASAddGroupLoginModule. The module is in the groupLM.jar file. Place this JAR file in the WAS-INSTALL/lib/ext directory.
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal com.ibm.websphere.sample.xs.security.WSGroupPrincipal
"defaultWIMFileBasedRealm/cn=operatorGroup,o=defaultWIMFileBasedRealm" {
permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "read";
};
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal com.ibm.websphere.sample.xs.security.WSGroupPrincipal
"defaultWIMFileBasedRealm/cn=adminGroup,o=defaultWIMFileBasedRealm" {
permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.Map1", "all";
};
The principal name is the WSGroupPrincipal, which represents the
group. Adding the custom login module
About this task
Procedure
Use the following steps to configure the supplied com.ibm.websphere.samples.objectgrid.security.lm.WASAddGroupLoginModule login module:
- In the administrative console, click .
- Enter the class name as com.ibm.websphere.sample.xs.security.lm.WASAddGroupLoginModule.
- Optional: Add a property debug and set the value to true.
- Click Apply to add the new module to the login module list.
Setting the JAAS Authorization Policy file using JVM Properties
In the administrative console, perform the following steps to xs1 and xs2 servers in the xsCluster. If a different deployment topology is used, perform the following steps to the application servers that host the container servers.
Procedure
Testing group authorization with the sample application
You can test that group authorization is configured by the login module with the sample application.
Procedure
Lesson checkpoint
You configured groups to simplify the assignment of permission to the users of your application.