Custom LoginModule with JAASRealm in Websphere 8.5

Question

I developed a LoginModule who implements javax.security.auth.spi.LoginModule, and I use the org.apache.catalina.realm.JAASRealm. There is any way to utilize this solution on Websphere Application Server 8.5?

I read some articles saying that I need to set my loginModule in the WEB_INBOUND. I tried this, and the application starts to request authentication, but the authorization didn't work. I guess because the JAASRealm doesn't exist on WAS, there is any similar Realm to WAS? How should I configure that?

One more question, when I configure the WEB_INBOUND, the console Admin also uses my loginModule to authenticate, can I use my LoginModule only on my application?

Answer 1

Using login modules is a bit complicated, so I usually recommend to avoid that if possible. WAS provides support for some user registries out of the box like File, LDAP, custom, proprietary DB. Check it out, if it will be sufficient for you. If you need to customize login process, it is usually easier to use TAI (trusted associated interceptor) rather than login module, as it is easier to program it to be active for certain apps only.

You didn't write what is your customization in the login module, so its hard to recommend best solution.

For authorization to work with login module, you either need to have configured registry with the groups/users for which you are creating subject, or assert full subject in the login module, check details in links below.

As to separate administration security (console) from application security - it is fairly easy in the WAS ND (Network deployment) configuration, where you have separate server for management (deployment manager) - you just create separate security domain, and assign it to servers serving your application.
In Base(single server) configuration, you cant do that as security settings are per JVM. You could try some workarounds via separate server or admin agent, but setup is more complex, and I didn't test that, so I'm speculating.

You may use WSServletRequestCallback or WSAppContextCallback in your LoginModule and do your customizations only for your application.

You can also create a copy of WEB_INBOUND, and customize that copy. But to use it, you would need customized login page/process and invoke that login config programmatically.

See also:

• Developing custom login modules for a system login
• Configuring inbound identity mapping - see hashtable login here
• Invoking JAAS config programmatically
• Using TAI for Subject creation
• Supported user registries
• Multiple security domains