This section describes how to use JACC (Java Authorization Contract for Containers) in EAServer. For details about JACC see the JACC specification.
If you intend to use JACC as the access control mechanism for EJB or web modules, you must specify the name of the JACC policy implementation class in each security domain which defines users who access the EJB or web modules. The default value of this property is taken from a Java system property in accordance with the JACC specification. If this property was not previously set, then you should redeploy all EJB and web modules for which you wish to use JACC.
You may find it easier to use role-based access control. See Chapter 7, “Creating and Using Custom Security Components” for information.
JACC support requires you to pass an extra command-line option to the deploy command, as these examples illustrate:
deploy
myweb.jar -jacc
deploy myweb.war -jacc
deploy myweb.ear -jacc
Deploying with the -jacc option creates additional Ant configuration scripts, for example:
ejbjar-myejb-jacc.xml
webapp-myweb-jacc.xml
application-myapp-jacc.xml, as well as one script for each EJB Jar file and Web application in the application.
Redeploying discards the previously generated JACC script(s), if any.
Each generated JACC configuration script contains “configure” and “delete” targets. Refer to the “Provider Configuration Subcontract” in the JACC specification for details.
Run the config-jacc and delete-jacc command line tools to configure and delete targets. For example:
delete-jacc webapp-myweb
config-jacc ejbjar-myejb
You must create and edit an Ant script named jacc-provider-info.xml, and set the property jacc.factory to the name of your JACC PolicyConfigurationFactory class. If this property is not set, the PolicyConfiguration object returned by the default factory simply echos configuration information to the console when you run the config-jacc command.
Running config-jacc or delete-jacc for an application runs it on all EJBs and Web modules in the application (similar to the existing configure and recompile commands).
When run, the config-jacc command extends (does not delete) the previous provider configuration. To replace the provider configuration, first run delete-jacc.
After running config-jacc or delete-jacc, refresh the security domain(s) configured with a JACC policy.
Run the configure jacc-on command to enable JACC globally for all subsequent deployment. You can turn it off again using configure jacc-off.
