This week's book giveaway is in the Java in General forum.
We're giving away four copies of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 and have ishori Sharan & Adam L Davis on-line!
See this thread for details.
Win a copy of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

JAAS LoginModule

 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm curious if anyone knows (and can explain to me) how a particular custom JAAS LoginModule gets associated with a particular applicaition in WebSphere 5.1. Through the Admin Console I do this:
- Define an new Application Login Configuration (under JAAS Configurations)
- give it com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy as
the LoginModule
- include a Custom Property of "delegate" which delegates to my LoginModule
(the class file for which is in the WAS_HOME/java/jre/lib/ext directory)
- then I deploy a simple web app using form-based authentication. However,
attempting to login in to this results in
ource=com.ibm.ws.security.server.lm.swamLoginModule being used as the
authentication service. Always.

Is there another step which I've missed? I've been through the documentation time and again, but there seems to be nothing explicitly defining that application A uses LoginModule A as its sole authentication service.

Anyone out there got any insight into this?
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm answering my own post here - just in case anyone was interested.

The answer I have found is that there is no way for an application deployed on WebSphere to be deployed with its own authentication service, unless you also programatically handle how the service is selected. So you can define a LoginModule and add it to the LoginContext Configuration as documented, but WEB_INBOUND traffic will always default to either swamLoginModule or ltpaLoginModule for primary authentication. Both of these will use the User Registry configured for the instance of that server as its authentication source. So you can't use a custom LoginModule with form based authentication.

There are two ways round this:
  • Use a Trust Association Interceptor to interupt the WEB_INBOUND request and redirect it to your login module. Unfortunately this seems to apply to every WEB_INBOUND request, not just those to your application.
  • Replace form based authentication with your own Front Controller, which programatically picks the correct LoginContext.

  •  
    WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
    Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
    https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    reply
      Bookmark Topic Watch Topic
    • New Topic