Basic Websphere Security Questions

Hi,
I have a few basic questions. We are developing a typical application using Websphere 5.0 that has both a web tier (eg Struts) and an EJB tier.
a) We plan on using form-based authentication (with SSL) -- can we use JAAS to authenticate the user against IBM Directory Server? Which approach would I use to achieve this, ie integrate JAAS with Struts or use form-based custom authentication or is their some other approach that is better?
b) Once the user is authenticated in the web tier and they make a call into the ejb tier, I assume the security context passed in means that they arent re-authenticated via JAAS again in the ejb tier?
c) Does JAAS have to be setup separately for both the web and ejb tiers?
d) Given that both the web and ejb tier have their own deployment descriptors is their anyway to consolidate the <security-role> information, or does this have to be duplicated in each deployment descriptor?

many thanks,
Rowan

Originally posted by Rowan John:
Hi,
I have a few basic questions. We are developing a typical application using Websphere 5.0 that has both a web tier (eg Struts) and an EJB tier.
a) We plan on using form-based authentication (with SSL) -- can we use JAAS to authenticate the user against IBM Directory Server? Which approach would I use to achieve this, ie integrate JAAS with Struts or use form-based custom authentication or is their some other approach that is better?

The answer is no, you do NOT use JAAS. Many people with experience on other Web Application servers assume that you must use JAAS, but in fact, it's not the way to go with WebSphere. WebSphere has built-in support for form-based authentication that does not require JAAS. Do a search in the infocenter for "form-based authentication" and you'll find out how.

b) Once the user is authenticated in the web tier and they make a call into the ejb tier, I assume the security context passed in means that they arent re-authenticated via JAAS again in the ejb tier?

Nope. The user is not re-authenticated since calls to the EJB tier from the Web tier automatically include all of the credential information necessary to identify the user in the IIOP context. This is because a WebSphere cell is a "trusted domain" and credentials can be passed back and forth betweeen any of the servers in the domain (or likewise within containers within a single server). Instead, all that happens is that the security token passed in the IIOP context is validated.

c) Does JAAS have to be setup separately for both the web and ejb tiers?

As I've hinted strongly, you DO NOT need JAAS. Security has to be enabled in the cell as a whole, but that's all.

d) Given that both the web and ejb tier have their own deployment descriptors is their anyway to consolidate the <security-role> information, or does this have to be duplicated in each deployment descriptor?

The security role information is consolidated in the application deployment descriptor (in the EAR file that should contain BOTH your EJB JAR file and your WAR file).
All in all, you probably want to see my book for details on this, and check out some of thw IBM redbooks on this subject as well.

many thanks,
Rowan

Kyle,
thanks for your reply.
Our application has multiple types of clients, ie browser and web services for starters, so I was hoping to write a couple of login modules to authenticate the users of these clients?
Given that Websphere v5 does support JAAS and that JAAS is part of the j2ee 1.3 spec, why would I use Websphere's inbuilt form-based authentication over JAAS?

thanks again,
Rowan

PS I'II look into your book...

Well, you wouldn't use JAAS because you do not need it and it won't work. Period, end of story. In WebSphere JAAS login modules are only used by Application clients. Web Services authentication is AUTOMATICALLY handled by the container in the same way that Form-based and HTTP Basic Authentication is automatically handled by the container. You can't write a login module on your own and make it work with other client types within WebSphere.
Also, JAAS is NOT part of J2EE 1.3 in the way you think. We have to be very precise here. JAAS is only mentioned in one place in the J2EE specs -- in the JCA specification. WebSphere does allow you to use JAAS there for translation between security credentials used by the container and credentials used by your JCA provider, but that's about the only place it's useful (except when authenticating an application client, in which case you'll use a built-in WebSphere JAAS login module -- not write your own).
Believe me, nearly everything you know about JAAS is wrong when you consider it within WebSphere. We're not JBoss, and we're not WebLogic, and everything you've done with JAAS in those vendors does not apply to WebSphere.
Kyle

Well, you wouldn't use JAAS because you do not need it and it won't work. Period, end of story. In WebSphere JAAS login modules are only used by Application clients.

Do you say this from experience only, or can you point me at a reference for this? If I could develop a JAAS solution, wouldn't it be portable across other app servers?

No it won't. That's the dirty little secret of JAAS. It's NOT fully part of J2EE and it's not portable. If you write a JAAS solution, you'll have to rewrite it for each app server.
Not only that but it won't work for WebSphere!
I'm sorry that there's no reference I can give because it's hard to give a reference for something that can't be done...
Kyle

Can I check something please? I am using JAAS in an application client, which runs in the client application container of Websphere 5. If I follow this thread correctly, I cannot use JAAS in Websphere in the EJB container, but can in a client.
1. Can I use JAAS if the application client is in the client application container, or only if its a standalone client?
2. Can I use my own JAAS login module or do I have to use the Websphere one?
3. Are there any Websphere specific steps to enable me to do 2. - I've amended the wsjaas_client.conf to use my login module, and made sure that the code is in the classpath of my app client .ear file, and configured an application login configuration in the admin console, but I still the following exception:
javax.security.auth.login.LoginException: unable to find LoginModule class: com.mycompany.myproduct.management.jaas.ManagerLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:643)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:124)
at javax.security.auth.login.LoginContext$3.run(LoginContext.java:543)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:540)
at javax.security.auth.login.LoginContext.login(LoginContext.java:450)
at com.mycompany.myproduct.management.jaas.LoginManager.login(LoginManager.java:160)
In the infocenter for WAS5, JAAS section -
http://publib.boulder.ibm.com/infocenter/wsphelp/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/csec_programlog.html
it mentions recommending using "WebSphere Proxy LoginModule because of the limitation of the class loader visibility problem." Could this be why my login module is not being picked up?
[ February 06, 2004: Message edited by: Steve Wink ]
[ February 06, 2004: Message edited by: Steve Wink ]
[ February 06, 2004: Message edited by: Steve Wink ]