I have a JASPIC auth module that works really well on GlassFish, WildFly and WebLogic.
Now we have a new customer who uses WebSphere 8.5, and I can't get the auth module to run properly there.
The problem is that WebSphere doesn't accept the username that the auth module puts in the CallerPrincipalCallback. Our other supported servers just accept this, but WebSphere for some reason thinks it needs to perform some extra checks.
After investigating the issue I stumbled upon this one: https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014937852
This exactly describes my problem, but there's no solution given there.
How can I confince WebSphere to just process the CallerPrincipalHandler and accepting any username like all other servers do?
In general I usually advise to use container authentication/authorization, if possible, as it is already provided by server infrastructure and for majority of cases sufficient.
However, if in your case you need it, here are some hints.
If you want to avoid extra checks, and allow authentication of users that are not in the WebSphere user registry you have to create full subject like this (this is fixed user simplification), instead of using callbacks:
I'm assuming that you want to map these users to some security roles in your application. You can map it either using users, groups or special subject. You need to have roles defined in your
application.xml
, like this:and you will need binding file, since binding cannot be done via console for non-existing users/groups. Create
ibm-application-bnd.xml
file:I provided sample for all kinds of mappings, use the one that suits your needs:
user
- for mapping named users to rolegroup
- for mapping group to rolespecial-subject
- if you want any successfully authenticated user to have that role.Important if you want to use fake users/groups you have to provide
access-id
attribute, if they are in the registry then just providename
.See also: