• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

JAAS LoginModule

Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm curious if anyone knows (and can explain to me) how a particular custom JAAS LoginModule gets associated with a particular applicaition in WebSphere 5.1. Through the Admin Console I do this:
- Define an new Application Login Configuration (under JAAS Configurations)
- give it com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy as
the LoginModule
- include a Custom Property of "delegate" which delegates to my LoginModule
(the class file for which is in the WAS_HOME/java/jre/lib/ext directory)
- then I deploy a simple web app using form-based authentication. However,
attempting to login in to this results in
ource=com.ibm.ws.security.server.lm.swamLoginModule being used as the
authentication service. Always.

Is there another step which I've missed? I've been through the documentation time and again, but there seems to be nothing explicitly defining that application A uses LoginModule A as its sole authentication service.

Anyone out there got any insight into this?
Paul Sturrock
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm answering my own post here - just in case anyone was interested.

The answer I have found is that there is no way for an application deployed on WebSphere to be deployed with its own authentication service, unless you also programatically handle how the service is selected. So you can define a LoginModule and add it to the LoginContext Configuration as documented, but WEB_INBOUND traffic will always default to either swamLoginModule or ltpaLoginModule for primary authentication. Both of these will use the User Registry configured for the instance of that server as its authentication source. So you can't use a custom LoginModule with form based authentication.

There are two ways round this:
  • Use a Trust Association Interceptor to interupt the WEB_INBOUND request and redirect it to your login module. Unfortunately this seems to apply to every WEB_INBOUND request, not just those to your application.
  • Replace form based authentication with your own Front Controller, which programatically picks the correct LoginContext.

    Don't get me started about those stupid light bulbs.
      Bookmark Topic Watch Topic
    • New Topic