Extensible Authentication

The extensible authentication feature uses the Java virtual machine (JVM) and the Java Authentication and Authorization Service (JAAS) to allow you to run your own Java-based authentication module in the EMS server.

Your authentication module, or LoginModule, runs in the JVM within the EMS server, and is accessed by tibemsd using the JAAS interface. This is a flexible way to extend the security of your EMS application. The LoginModule can be used to augment existing authentication processes, or can be the sole method of authentication used by the EMS server.
The user_auth parameter in the main configuration file determines when the LoginModule is used.

Each time an EMS client attempts to create a connection to the server, the server will authenticate the client before accepting the connection. When extensible authentication is enabled, tibemsd passes user information to the LoginModule, which returns an allow or deny response.

If more than one authentication mechanism is enabled, when a user attempts to authenticate, the server seeks corresponding authentication information from each of the specified locations in the order determined by the user_auth parameter. The EMS server accepts successful authentication using any of the specified sources.

For example, if local authentication appears before JAAS authentication, the server will search for the provided username and password first in the users.conf file. If the user does not exist there or if the provided username and password don't match, the EMS server passes those to the LoginModule, which allows or denies the connection attempt.