In a test application with a simple REST web service as an example, I tried to use JASPI to java-ee security.
JASPI worked quickly with Wildfly. At that point, I just implemented the ServerAuthModule interface and configured that module in the server configuration, and everything was fine. Note that the auth module class was just part of my application.
I couldn't make it work in Websphere, this time, as far as I know, implementing exactly that: http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html. As soon as my app was deployed, I had those problems:
- Authentication is completely ignored in my app, though it's specified as required for all resources in web.xml . The login module is not invoked.
- Now the strangest part: Websphere's own admin console fails with a 403 Forbidden status code. I can somehow force some parts of it to display when forcing the right username in my authentication module! Every request to the console triggers breakpoints in my login module.
Deploying using wsadmin command-line console or even from java instead of the administration console doesn't seem to change that (as expected, but I've seen weird things in Websphere in that aspect).
Enabling JASPI and application security in Websphere doesn't change anything.
Anything that I could correct? Do you know of any sample using JASPI that works on Websphere?
EDIT: Java EE 7 Samples' basic-authentication application deploys on websphere, but security is just ignored.