[[Elytron_and_Java_Authorization_Contract_for_Containers-JACC]] = Elytron and Java Authorization Contract for Containers (JACC) [abstract] This document will guide you on how to enable JACC using Elytron Subsystem. [[disabling-jacc-in-legacy-security-subsystem-picketbox]] == Disabling JACC in Legacy Security Subsystem (PicketBox) By default, the application server uses the legacy security subsystem (PicketBox) to configure the JACC policy provider and factory. The default configuration maps to implementations from PicketBox. In order to use Elytron to manage JACC configuration (or any other policy you want to install to the application server) you must first disable JACC in legacy security subsystem. For that, please execute the following CLI command: [source, ruby] ---- /subsystem=security:write-attribute(name=initialize-jacc, value=false) ---- The command above tells the legacy security subsystem to not initialize any JACC related configuration, but rely on the policies defined via Elytron subsystem as we'll see in the next sections. [[defining-a-jacc-policy-provider]] == Defining a JACC Policy Provider Elytron subsystem provides a built-in policy provider based on JACC specification. To create the policy provider you can execute a CLI command as follows: [source, ruby] ---- [standalone@localhost:9990 /] /subsystem=elytron/policy=jacc:add(jacc-policy={}) ---- After executing the command above, please reload the server configuration as follows: [source, ruby] ---- [standalone@localhost:9990 /] reload ---- [[enabling-jacc-to-a-web-deployment]] == Enabling JACC to a Web Deployment Once JACC Policy Provider is defined you can enable JACC to web deployments by executing the following command: [source, ruby] ---- [standalone@localhost:9990 /] /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication,enable-jacc=true) ---- The command above defines a default security domain for applications if none is provided in *jboss-web.xml.* In case you already have a *application-security-domain* defined and just want to enable JACC you can execute a command as follows: [source, ruby] ---- [standalone@localhost:9990 /] /subsystem=undertow/application-security-domain=my-security-domain:write-attribute(name=enable-jacc,value=true) ---- [[enabling-jacc-to-a-ejb-deployment]] == Enabling JACC to a EJB Deployment Once JACC Policy Provider is defined you can enable JACC to EJB deployments by executing the following command: [source, ruby] ---- [standalone@localhost:9990 /] /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain,enable-jacc=true) ---- The command above defines a default security domain for EJBs. In case you already have a *application-security-domain *defined and just want to enable JACC you can execute a command as follows: [source, ruby] ---- [standalone@localhost:9990 /] /subsystem=ejb3/application-security-domain=my-security-domain:write-attribute(name=enable-jacc,value=true) ----