The Cúram JAAS login module is configured as a system login module in WebSphere® . The default, scripted security configuration within WebSphere involves the default file-based user registry and the Cúram system login module. The user registry in WebSphere is the default authentication mechanism and can be configured to be:
- A custom user registry;
- An LDAP directory server;
- The Local OS or;
- The WebSphere file-based repository.
There are multiple system login configurations for WebSphere . The Cúram system login module is configured for the DEFAULT , WEB_INBOUND and RMI_INBOUND configurations. The same login module is used for all three configurations. WebSphere automatically invokes the login modules configured as system login modules under certain circumstances:
- DEFAULT
The login modules specified for the DEFAULT configuration are invoked for authentication of web services and JMS invocations. They are also invoked during the startup phase of WebSphere ;
- WEB_INBOUND
The login modules specified for the WEB_INBOUND configuration are used for authentication of web requests;
- RMI_INBOUND
The login modules specified for the RMI_INBOUND configuration are used for authentication of Java clients.
The Cúram JAAS login module exists as a login module within a chain of login modules set up in WebSphere . It is expected that at least one of these login modules be responsible for adding credentials for the user. By default, the Cúram login module adds credentials for an authenticated user. As a result of this, the configured WebSphere user registry handled by a subsequent login module does not add credentials. Therefore, it is not necessary to define Cúram users within the WebSphere user registry. This behavior is configurable through the use of the curam.security.user.registry.enabled property set in the AppServer.properties file. The Cúram Deployment Guide for WebSphere Application Server or Cúram Deployment Guide for WebSphere Application Server on z/OS should be consulted for further details on setting this property. Default Configuration for WebSphere below illustrates the default authentication flow for WebSphere . Default Configuration for WebSphere below illustrates the authentication flow for WebSphere where its user registry is also queried, i.e. where the curam.security.user.registry.enabled property is set to true.
As part of the security configuration there are certain users that are excluded from authentication and for these users the configured user registry will be queried. This list of users is configured automatically to be the WebSphere security user, as specified by the security.username property in AppServer.properties and the database user, as specified by the curam.db.username property in Bootstrap.properties . These two users are classified administrative users and not application users. It is possible to extend this list of excluded users manually, see the Cúram Deployment Guide for WebSphere Application Server and Cúram Deployment Guide for WebSphere Application Server on z/OS for more information.