WAS Liberty - How to trigger JAAS module?

Question

Using WAS 8558 and on one of the URL pattern, need to invoke JAAS module.

Entry in web.xml

<security-constraint>
<display-name>SampleConstraint</display-name>
<web-resource-collection>
  <web-resource-name>Sample</web-resource-name>
  <url-pattern>/wasauth</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
  <description>
        Users allowed access to spoke Identity Provider</description>
  <role-name>FIMAnyAuthenticated</role-name>
  <role-name>FIMUserSelfCareAnyAuthenticated</role-name>
</auth-constraint>

Entry in server.xml

<jaasLoginContextEntry id="system.FIM_OUTBOUND" name="system.FIM_OUTBOUND" loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token"/>
                 <jaasLoginModule id="myCustom" className="com.*.SampleLoginModule" controlFlag="REQUIRED" libraryRef="customLoginLib">
</jaasLoginModule>

                 <library id="customLoginLib" apiTypeVisibility="spec, ibm-api, api">
    <fileset dir="/" includes="com.**_8.0.0.jar"/>

This flow is using Federated repository feature (Liberty) for authentication. Above mentioned settings allow user to get authenticated against repository however JAAS module is not getting invoked.

If I convert JAAS entry to system.WEB_INBOUND using WSLoginModuleProxy - JAAS module gets invoked.

Liberty does have appSecurity-2.0 feature enabled.

Is there any other configuration which needs to be done?

Answer 1

When the Liberty profile performs authentication for protected web resources it uses the system.WEB_INBOUND JAAS login configuration entry. So any custom login modules that you have configured in it will be called.

If you have configured your custom login modules in your own or a different JAAS configuration it will not be called by the server during web authentication. Your application. however, can call it directly.