I'm curious if anyone knows (and can explain to me) how a particular custom JAAS LoginModule gets associated with a particular applicaition in WebSphere 5.1. Through the Admin Console I do this: - Define an new Application Login Configuration (under JAAS Configurations) - give it com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy as the LoginModule - include a Custom Property of "delegate" which delegates to my LoginModule (the class file for which is in the WAS_HOME/java/jre/lib/ext directory) - then I deploy a simple web app using form-based authentication. However, attempting to login in to this results in ource=com.ibm.ws.security.server.lm.swamLoginModule being used as the authentication service. Always.
Is there another step which I've missed? I've been through the documentation time and again, but there seems to be nothing explicitly defining that application A uses LoginModule A as its sole authentication service.
I'm answering my own post here - just in case anyone was interested.
The answer I have found is that there is no way for an application deployed on WebSphere to be deployed with its own authentication service, unless you also programatically handle how the service is selected. So you can define a LoginModule and add it to the LoginContext Configuration as documented, but WEB_INBOUND traffic will always default to either swamLoginModule or ltpaLoginModule for primary authentication. Both of these will use the User Registry configured for the instance of that server as its authentication source. So you can't use a custom LoginModule with form based authentication.
There are two ways round this:
Use a Trust Association Interceptor to interupt the WEB_INBOUND request and redirect it to your login module. Unfortunately this seems to apply to every WEB_INBOUND request, not just those to your application.
Replace form based authentication with your own Front Controller, which programatically picks the correct LoginContext.