[rules-users] Websphere 7.0 and Drools Guvnor 5.2 Integration

[hpham1067]

I've Guvnor working with Websphere 7.0 pretty well. That said, I've having
problem using JAAS with WebsPhere WSLogin login implementation module, i.e.
com.ibm.ws.security.common.auth.module.WSLoginModuleImpl. It seems that
Guvnor will accept the any user authentication if you specify a blank
password at the login screen. If you type in a wrong password in it work as
expected but a blank or no password Guvnor will let the user login no
question ask. Has anyone encounter this issue. Thanks in advance for your
help.
 
 - Henry 

--
View this message in context: 
http://drools.46999.n3.nabble.com/Websphere-7-0-and-Drools-Guvnor-5-2-Integration-tp3276699p3276699.html
Sent from the Drools: User forum mailing list archive at Nabble.com.
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] Websphere 7.0 and Drools Guvnor 5.2 Integration

[Tihomir Surdilovic]

Hi Henry,
I vaguely remember seeing the same problem in WAS6. WebSphere 
documentation says:
A username and password must be specified in the callback handler. 
Custom classes that are added to the Subject on the client side should 
get propagated to the server automatically whenever security attribute 
propagation is enabled. You can set the password to null if you want to 
use identity assertion without a password. 
(http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tsec_pacs.html)

So when either a null or an empty string password is supplied to the WAS 
login module, it takes it as an implicit sign that you want to do 
identity assertion instead of authentication, and therefore succeeds as 
long as the user id is valid.

As a workaround, I have seen people write their own login module that 
simply rejects any null or empty password. Then they chain this login 
module with the native WebSphere login module, so the latter can check 
credentials where a password is supplied. This is just a workaround 
however. Again I am not a WAS expert and you should probably contact one 
for further help.

Hope this helps.
Tihomir
On 8/22/11 8:01 PM, hpham1067 wrote:
 I've Guvnor working with Websphere 7.0 pretty well. That said, I've having
 problem using JAAS with WebsPhere WSLogin login implementation module, i.e.
 com.ibm.ws.security.common.auth.module.WSLoginModuleImpl. It seems that
 Guvnor will accept the any user authentication if you specify a blank
 password at the login screen. If you type in a wrong password in it work as
 expected but a blank or no password Guvnor will let the user login no
 question ask. Has anyone encounter this issue. Thanks in advance for your
 help.

   - Henry

 --
 View this message in context: 
 http://drools.46999.n3.nabble.com/Websphere-7-0-and-Drools-Guvnor-5-2-Integration-tp3276699p3276699.html
 Sent from the Drools: User forum mailing list archive at Nabble.com.
 ___
 rules-users mailing list
 rules-users@lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/rules-users


___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users