5.10. The login.conf File

The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.

The JAAS can be used for two purposes:

• For authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet.

• For authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

Note

See the Java Authentication and Authorization Service page on Sun’s web site at http://java.sun.com/products/jaas/ for more information.

The login configuration file (login.conf) contains the login module definitions used by the JAAS for client authentication. It is referenced in the JVM settings for a particular server instance, as shown in Example 5.12.

Example 5.12. Reference to Login Configuration File in the server.xml

<jvm>
  <java-home>/opt/webserver7/jdk</java-home>
  <server-class-path>...</server-class-path>
  <debug>false</debug>
  <debug-jvm-options>-Xdebug -Xrunjdwp:transport=dt_socket,
    server=y,suspend=n,address=7896</debug-jvm-options>
  <jvm-options>-Djava.security.auth.login.config=login.conf
					</jvm-options>
  <jvm-options>-Djava.util.logging.manager=com.sun.webserver.logging
    .ServerLogManager</jvm-options>
  <jvm-options>-Xms128m -Xmx256m</jvm-options>
</jvm>

5.10.1. File Structure

The login configuration file specifies the Java class used for each authentication realm. Example 5.13 demonstrates the login.conf file for the default Administration Node.

Example 5.13. Default login.conf File

/*  Copyright 2006 Sun Microsystems, Inc.  All rights reserved.  */
/*  Use is subject to license terms.                        */

fileRealm {
    com.iplanet.ias.security.auth.login.FileLoginModule required;
};

ldapRealm {
    com.iplanet.ias.security.auth.login.LDAPLoginModule required;
};

solarisRealm {
    com.iplanet.ias.security.auth.login.SolarisLoginModule required;
};

nativeRealm {
    com.iplanet.ias.security.auth.login.NativeLoginModule required;
};

5.10.2. Syntax

The basic format for the login module definitions contained in the login configuration file is as follows:

						Application {
      ModuleClass  Flag    ModuleOptions;
      ModuleClass  Flag    ModuleOptions;
      ModuleClass  Flag    ModuleOptions;
    };

Each entry in the login configuration file is indexed by an application name (Application). Each application contains a list of login modules configured for that application. Each login module is specified by its fully qualified class name (ModuleClass). Authentication proceeds down the module list in the exact order specified. The Flag value controls the overall behavior as authentication proceeds down the stack. Flags can be one of the following: Required, Requisite, Sufficient, or Optional.

ModuleOptions is a space-separated list of login module-specific values that are passed directly to the underlying login module. Options are defined by the login module itself and control the behavior within it.

Note

See the javax.security.auth.login class configuration page at http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/login/Configuration.html for more information.

5.10.3. Context

Each server instance has its own login configuration file; therefore, there is a one-to-one correspondence between the server instance and this file.

5.10.4. Modifications

The Administration Console and command line interface do not provide a method for managing the login configuration file. As such, all modifications to this file must be made on a particular Administration Node. After this has been performed, the modifications must be pulled back into the configuration and then pushed out to additional Administration Nodes as appropriate.