Extensible Authentication

The extensible authentication feature uses the Java virtual machine (JVM) and the Java Authentication and Authorization Service (JAAS) to allow you to run your own Java-based authentication module in the EMS server.

Your authentication module, or LoginModule, runs in the JVM within the EMS server, and is accessed by tibemsd using the JAAS interface. This is a flexible way to extend the security of your EMS application. The LoginModule can be used to augment existing authentication processes, or can be the sole method of authentication used by the EMS server. The user_auth parameter in the main configuration file determines when the LoginModule is used.

Each time an EMS client attempts to create a connection to the server, the server will authenticate the client before accepting the connection. When extensible authentication is enabled, tibemsd passes user information to the LoginModule, which returns an allow or deny response.

If more than one authentication mechanism is enabled, it’s important to note the order that the authentication processes are employed, as determined by their order in the user_auth parameter. The server will search each authentication source in order, and if the user does not exist there, tibemsd passes the username and password to the next source.

For example, if local authentication appears before JAAS authentication, the server will search for the provided username and password first in the users.conf file. If the user does not exist there, tibemsd passes the username and password to the LoginModule, which allows or denies the connection attempt.

Consider a connection request from a client with the username avogus. If avogus exists in the users.conf, the EMS server will either authenticate or deny access to avogus based on the username and password located there. Only if avogus does not exist in the users.conf does the server pass the username and password to the LoginModule.

Copyright © Cloud Software Group, Inc. All rights reserved.