NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

371

372

373

374

375

376

377

378

379

380

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-21

Realms

more information on JAAS, see

http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html

NSJSP provides the required JAAS infrastructure to accept NonStop usernames and

to authenticate users in the Safeguard subsystem. This means NonStop usernames

and passwords can be used to authenticate users and groups in the Safeguard

subsystem that can be used as user roles to authorize access to application resources.

The JAAS framework provides the LoginModule interface that must be implemented

by authentication service providers. NSJSP provides an implementation of the

LoginModule interface in the

com.tandem.servlet.jaas.NonStopLoginModule class. The

NonStopLoginModule authenticates the user using the Safeguard subsystem and

fetches the groups to which the logged in user belongs. The LoginModule class must

be registered with the JAAS framework. This is done by providing the JAAS

configuration file (<NSJSP_HOME>/conf/iTP_jaas.config) through the -

Djava.security.auth.login.config command-line argument. The following

sample iTP_jaas.config file shows the configuration of the

NonStopLoginModule:

NonStopUserDB {

com.tandem.servlet.jaas.NonStopLoginModule REQUIRED debug=false;

};

where, NonStopUserDB is the name used by the JAAS framework to uniquely identify

the LoginModule that must be used for authentication.

With the use of NonStopLoginModule as the LoginModule, users can login with

NonStop usernames in any of the following forms:



NonStop Username: super.webmstr



NonStop Group, User: 255,20



NonStop User ID: 65305



Safeguard alias name: webman

On successful authentication of a NonStop user, the NonStopLoginModule returns

the groups to which the user or alias belongs. For example, if the Safeguard alias

webman (for NonStop user SUPER.WEBMSTR) is configured as belonging to groups

SUPER, SOFTWARE and WEB, then on successful authentication, the roles returned for

webman are:



SUPER



SOFTWARE



WEB



SUPER.WEBMSTR (the actual NonStop username)