Setting up JAAS-Compliant Authentication (Sun Java System Message Queue 4.1 Administration Guide)

Sun Java System Message Queue 4.1 Administration Guide

Setting up JAAS-Compliant Authentication

Setting up JAAS-compliant authentication involves setting broker and system properties to select this type of authentication, to specify the location of the configuration file, and to specify the entries to the login modules that are going to be used.

This section illustrates how the JAAS client, the login modules, and the JAAS configuration file are related and then describes the process required to set up JAAS-compliant authentication. The next figure shows the relation between the configuration file, the login module, and the broker.

Figure 9–3 Setting Up JAAS Support

This figure shows the relationship between JAAS-related
files. The text following the figure explains its content.

As shown in the figure, the JAAS configuration file, MyJAASCFile.config contains references to several login modules, grouped in an entry point. The JAAS locates the configuration file by consulting the Java system property java.security.auth.login.config or the Java security properties file. The broker then determines which login modules to use by consulting the broker property imq.user_repository.jaas.name, which specifies the desired entry in the configuration file. The classes for those modules are found in the lib/ext directory.

To set up JAAS support for Message Queue, you must complete the following steps. (In a development environment all these steps might be done by the developer. In a production environment, the administrator would take over some of these tasks.)

Create one or more login module classes that implement the authentication service. The JAAS callback types that the broker supports are listed below.

javax.security.auth.callback.LanguageCallback

The broker uses this callback to pass the authentication service the locale in which the broker is running This value can be used for localization.

javax.security.auth.callback.NameCallback

The broker uses this callback to pass to the authentication service the user name specified by the Message Queue client when the connection was requested.

javax.security.auth.callback.TextInputCallback

The broker uses this callback to pass the value of imq.authentication.type to the authentication service when the TextInputCallback.getPrompt() is imq.authentication.type. Right now, the only possible value for this field is basic. This indicates Base-64 password encoding.

javax.security.auth.callback.PasswordCallback

The broker uses this callback to pass to the authentication service the password specified by the Message Queue client when the connection was requested.

javax.security.auth.callback.TextOutputCallback

The broker handles this callback to provide logging service to the authentication service by logging the text output to the broker's log file. The callback's MessageType ERROR, INFORMATION, WARNING are mapped to the broker logging levels ERROR, INFO, WARNING respectively.
Create a JAAS configuration file with entries that reference the login module classes and specify the location of this file to the Message Queue administrator. (The file can be located remotely, and its location can be specified with a URL.)
Note the name of the entry (that references the login implementation classes) in the JAAS configuration file.
Archive the classes that implement the login modules to a jar file, and place the jar file in the Message Queue lib/ext directory.
Configure the broker properties that relate to JAAS support. These are described in Table 9–4.
Set the following system property (to specify the location of the JAAS configuration file) when starting the broker.

java.security.auth.login.config=JAAS_Config_File_Location

For example, you can specify the configuration file when you start the broker.

imqbrokerd -Djava.security.auth.login.config=JAAS_Config_File_Location

There are other ways to specify the location of the JAAS configuration file. For additional information, please see

http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html

The following table lists the broker properties that need to be set to set up JAAS support.

Table 9–4 Broker Properties for JAAS Support


Property	Description
`imq.authentication.type`	Set to `basic` to indicate Base-64 password encoding. This is the only permissible value for JAAS authentication.
`imq.authentication.basic.user_repository`	Set to `jaas` to specify JAAS authentication.
`imq.accesscontrol.type`	Set to `file.`
`imq.user_repository.jaas.name`	Set to the name of the desired entry (in the JAAS configuration file) that references the login modules you want to use as the authentication mechanism. This is the name you noted in Step 3.
`imq.user_repository.jaas.userPrincipalClass`	This property, used by Message Queue access control, specifies the `java.security.Principal` implementation class in the login module(s) that the broker uses to extract the Principal name to represent the user entity in the Message Queue access control file. If, it is not specified, the user name passed from the Message Queue client when a connection was requested is used instead.
`imq.user_repository.jaas.userPrincipalClass`	This property, used by Message Queue access control, specifies the `java.security.Principal` implementation class in the login module(s) that the broker uses to extract the Principal name to represent the group entity in the Message Queue access control file. If, it is not specified, the group rules, if any, in the Message Queue access control file are ignored.