Mapping of a client Kerberos principal name to the WebSphere user registry ID
You can map the Kerberos client principal name to the WebSphere user registry ID for both Simple and Protected GSS-API Negotiation (SPNEGO) web authentication and Kerberos authentication.
About this task
Use the Java Authentication and Authorization Service
(JAAS) custom login module to perform any custom mapping of a client
Kerberos principal name to the WebSphere user registry identity. The
JAAS custom login module is a plug-in mechanism that is defined for
authenticating incoming requests in WebSphere® Application Server. If the active
authentication mechanism is LTPA, the JAAS custom login module is
inserted immediately before the ltpaLoginModule
.
If the active authentication mechanism is Kerberos, the JAAS custom
login module is inserted immediately before the WSKrb5LoginModule
.
The
JAAS custom login module retrieves a client Kerberos principal name
in javax.security.auth.Subject
using the subject.getPrivateCredentials(KRBAuthnToken.class)
method.
The JAAS custom login module then , maps the client Kerberos principal
name to the WebSphere user registry identity and inserts the mapping
identity in the hash table property, com.ibm.wsspi.security.cred.userId
.
The wsMapDefaultInboundLoginModule
then uses the
mapped identity to create a WSCredential.
javax.security.auth.Subject
in
the com.ibm.wsspi.security.tai.TAIResult
to fully
assert the mapped identity. When the identity is fully asserted, the wsMapDefaultInboundLoginModule
maps
those security properties to a WSCredential.