File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Websphere and the fly likes JAAS LoginModule Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Websphere
Bookmark "JAAS LoginModule" Watch "JAAS LoginModule" New topic

JAAS LoginModule

Paul Sturrock

Joined: Apr 14, 2004
Posts: 10336

I'm curious if anyone knows (and can explain to me) how a particular custom JAAS LoginModule gets associated with a particular applicaition in WebSphere 5.1. Through the Admin Console I do this:
- Define an new Application Login Configuration (under JAAS Configurations)
- give it as
the LoginModule
- include a Custom Property of "delegate" which delegates to my LoginModule
(the class file for which is in the WAS_HOME/java/jre/lib/ext directory)
- then I deploy a simple web app using form-based authentication. However,
attempting to login in to this results in being used as the
authentication service. Always.

Is there another step which I've missed? I've been through the documentation time and again, but there seems to be nothing explicitly defining that application A uses LoginModule A as its sole authentication service.

Anyone out there got any insight into this?

JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Paul Sturrock

Joined: Apr 14, 2004
Posts: 10336

I'm answering my own post here - just in case anyone was interested.

The answer I have found is that there is no way for an application deployed on WebSphere to be deployed with its own authentication service, unless you also programatically handle how the service is selected. So you can define a LoginModule and add it to the LoginContext Configuration as documented, but WEB_INBOUND traffic will always default to either swamLoginModule or ltpaLoginModule for primary authentication. Both of these will use the User Registry configured for the instance of that server as its authentication source. So you can't use a custom LoginModule with form based authentication.

There are two ways round this:
  • Use a Trust Association Interceptor to interupt the WEB_INBOUND request and redirect it to your login module. Unfortunately this seems to apply to every WEB_INBOUND request, not just those to your application.
  • Replace form based authentication with your own Front Controller, which programatically picks the correct LoginContext.

    I agree. Here's the link:
    subject: JAAS LoginModule
    It's not a secret anymore!