Over time, you may need to modify or replace authentication infrastructure due to deficiencies, enhancements, or applications requiring a different security policy. EAServer support for JAAS login modules simplifies replacement and modification of the underlying authentication mechanism.
Configure server-wide login modules that are used to authenticate clients trying to gain access to applications, Web applications, and servlets/JSPs. Figure 11-1 illustrates how JAAS is enabled on EAServer. The com.sybase.jaguar.server.jaas.config server property (defined in EAServer Manager) points to the JAAS configuration file, which determines the login module to use for a specific server. The configuration file requires a section specified by the server property com.sybase.jaguar.server.jaas.section. If you do not set this property, the section name must match the server name.
Based on the contents of the configuration file, EAServer invokes any specified login modules. If a login module is not defined, then JAAS is bypassed and the server uses the regular mechanism, if any, for authentication. For example, if credentials are passed to a server and no login module is defined, the server uses operating system authentication, if enabled.
If a login module is defined, it overrides any other authentication service that may be installed, and passes the request for authentication to the login module.
Figure 11-1: EAServer login design
To enable JAAS for a server, you must specify the JAAS configuration file and section name in the server properties. EAServer uses the login module in that section for authentication.
Enabling JAAS for a server:
Highlight the Servers folder.
Highlight the server for which you are identifying the configuration file.
Select File | Properties, and highlight the Security tab.
In the JAAS Configuration File window, enter the name of the JAAS configuration file, or use the browse button to search for the file.
You can verify the JAAS configuration file setting in the Advanced tab by viewing the com.sybase.jaguar.server.jaas.config property.
To disable JAAS, remove the entry from the JAAS Configuration File
window.
Optionally specify the name of a section in the JAAS configuration file by setting the property com.sybase.jaguar.server.jaas.section on the Advanced tab. If you do not specify a section name, the file must contain a section with the same name as the server.
This message indicates that JAAS is disabled, or there is a JAAS error; for example, the configuration file is not valid, or there is a problem loading the login module:
May 30 16:30:35 2001: Note: No configuration found for 'Jaguar' in the JAAS configuration file. May 30 16:30:35 2001: WARNING: JAAS setup for Authentication is ignored.
Your EAServer installation contains a sample JAAS configuration file, jaas.cfg, in the html/classes/Sample/JAAS directory.
EAServer allows you to retrieve additional IIOP or HTTP user session information when using the JAAS API to install custom security implementations. A sample that demonstrates these features is installed in the html/classes/Sample/JAAS directory of your EAServer installation.
When authenticating HTTP client access, you can retrieve the servlet request details associated with the client request, returned as an instance of javax.servlet.http.HttpServletRequest . EAServer provides a JAAS callback implementation in class com.sybase.jaguar.security.HttpServletRequestCallback. To retrieve servlet sessions, add an instance of this class to the callback stack in your implementation’s login method. Call the HttpServletRequestCallback.getHttpServletRequest() method to retrieve the servlet request. The method returns null if the request is not an HTTP request.
When authenticating IIOP client access, you can retrieve details about the client session as an instance of the CtsSecurity/SessionInfo built-in component. To do so, add the EAServer callback class com.sybase.jaguar.security.SessionInfoCallback to the callback stack in your implementation’s login method. Call the SessionInfoCallback.getSessionInfo() method to retrieve the CtsSecurity.SessionInfo class instance that describes the user session. For details on the CtsSecurity.SessionInfo methods, see the documentation in the following file in your EAServer installation:
html/ir/CtsSecurity__SessionInfo.html
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|