JAAS LoginContext error when using a custom LoginModule and LTPA
andre...@logicacmg.com
I'm having a bit of trouble with a custom LoginModule I have written which is deployed on WAS 6.0.2
First a bit of background: I have deployed the LoginModule as a System Login on the WEB_INBOUND Channel. I have placed it last in the module order after the ltpaLoginModule and wsMapDefaultInboundLoginModule. It is marked as REQUIRED and configured with a Proxy.
I have set up a custom LDAP registry (Tivoli Directory Server) and enabled Global Security. SSO is enabled and the LTPA token and Authentication cache timeouts are left with the default values (120 minutes and 600 seconds respectively)
The custom LoginModule is packaged in a WAR (WEB-INF/classes) within an EAR. The Classloader policy for the Application is set to PARENT_LAST and module visibility is APPLICATION.
On WAS 6.0.2.7 When I deploy my Web Application I can access the form based login page and authenticate against the Directory Server successfully. My custom LoginModule is invoked and performs the extra security checks I require. However if I then try and access the WAS Web Admin Console I get the following error in the SystemOut log:
JaasLoginHelp A SECJ0222E: An unexpected exception occurred when trying to create a LoginContext. The LoginModule alias is system.WEB_INBOUND and the exception is javax.security.auth.login.LoginException: unable to find LoginModule class: com.clssi.lcmg.web.security.SwiftLoginModule
I am then unable to log into either the WAS Admin console or my Web Application. Any further attempt to authenticate results in the same error above until I restart the Server.
On WAS 6.0.2.11 I can access the Web Application and authenticate against the Directory Server successfully. I can also log into the WAS Web Admin Console. However if I leave the server running for some time and then attempt to log into the Admin console again the login page refreshes without any errors and no error is written to the SystemOut log. If I restart the Server or just remove my LoginModule the problem goes away.
I appreciate that the WEB_INBOUND channel is shared across the cell for all web traffic, which means my custom LoginModule is being loaded for authentication for my Web Application and also the Admin Console. I'm guessing I've hit a Classloader visibility issue here which I thought might be solved by using a LoginModule Proxy. Does anyone have any idea as to what I am doing wrong and how to get around the issue?
Many Thanks,
Andy
Paul Ilechko
the time I find that people who are writing custom login modules for WAS
should really be writing either a TAI or a Custom User Registry ...
Paul Ilechko
> Hi everyone,
>
> I'm having a bit of trouble with a custom LoginModule I have written
> which is deployed on WAS 6.0.2
>
> First a bit of background: I have deployed the LoginModule as a
> System Login on the WEB_INBOUND Channel. I have placed it last in the
> module order after the ltpaLoginModule and
> wsMapDefaultInboundLoginModule. It is marked as REQUIRED and
> configured with a Proxy.
Why did you put it last? What are you trying to achieve? If you want to
assert an identity to WAS you would generally put it first ...
>
> I have set up a custom LDAP registry (Tivoli Directory Server) and
> enabled Global Security. SSO is enabled and the LTPA token and
> Authentication cache timeouts are left with the default values (120
> minutes and 600 seconds respectively)
>
> The custom LoginModule is packaged in a WAR (WEB-INF/classes) within
> an EAR. The Classloader policy for the Application is set to
> PARENT_LAST and module visibility is APPLICATION.
Put your login module in <WAS>/lib/ext
andre...@logicacmg.com
Thanks for getting back to me.
I have put the LoginModule last because it is a customer requirement to authenticate the User against the Directory Server before we perform any extra security checks. The custom LoginModule performs some ancilliary checks which assert that the User is accessing the application from a valid location and adds that to the Subject.
The LoginModule uses other application resources that are also deployed in the EAR. Deploying it in a standalone Jar in {WAS_HOME}/lib/ext would mean deploying all the other dependencies with it wouldn't it?
I guess the crux of my question is: Is it possible to package a custom LoginModule in an EAR and deploy it as a System Login on the WEB_INBOUND channel without it causing the Admin Console problems? Is there another way to configure the Module on a per application basis for Web logins?
Andy
Paul Ilechko
> The LoginModule uses other application resources that are also
> deployed in the EAR. Deploying it in a standalone Jar in
> {WAS_HOME}/lib/ext would mean deploying all the other dependencies
> with it wouldn't it?
Having a system component like a login module dependent on application
code is problematic, as you've discovered !
>
> I guess the crux of my question is: Is it possible to package a
> custom LoginModule in an EAR and deploy it as a System Login on the
> WEB_INBOUND channel without it causing the Admin Console problems? Is
> there another way to configure the Module on a per application basis
> for Web logins?
I don't think it's worth the effort of messing around with application
login configurations - it's complicated and doesn't integrate easily
with the WAS security runtime. Have you considered putting your
additional checks in a servlet filter and just storing any data about
those checks in the HTTP session ?
Otherwise I would suggest that you open a PMR and try to get an answer
on the strange behavior you are seeing in 6.0.2.11
Paul.