[rules-users] Websphere 7.0 and Drools Guvnor 5.2 Integration
Tihomir Surdilovic
tsurdilo at redhat.com
Mon Aug 22 20:15:28 EDT 2011
Hi Henry,
I vaguely remember seeing the same problem in WAS6. WebSphere
documentation says:
A username and password must be specified in the callback handler.
Custom classes that are added to the Subject on the client side should
get propagated to the server automatically whenever security attribute
propagation is enabled. You can set the password to null if you want to
use identity assertion without a password.
(http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tsec_pacs.html)
So when either a null or an empty string password is supplied to the WAS
login module, it takes it as an implicit sign that you want to do
identity assertion instead of authentication, and therefore succeeds as
long as the user id is valid.
As a workaround, I have seen people write their own login module that
simply rejects any null or empty password. Then they chain this login
module with the native WebSphere login module, so the latter can check
credentials where a password is supplied. This is just a workaround
however. Again I am not a WAS expert and you should probably contact one
for further help.
Hope this helps.
Tihomir
On 8/22/11 8:01 PM, hpham1067 wrote:
> I've Guvnor working with Websphere 7.0 pretty well. That said, I've having
> problem using JAAS with WebsPhere WSLogin login implementation module, i.e.
> com.ibm.ws.security.common.auth.module.WSLoginModuleImpl. It seems that
> Guvnor will accept the any user authentication if you specify a blank
> password at the login screen. If you type in a wrong password in it work as
> expected but a blank or no password Guvnor will let the user login no
> question ask. Has anyone encounter this issue. Thanks in advance for your
> help.
>
> - Henry
>
> --
> View this message in context: http://drools.46999.n3.nabble.com/Websphere-7-0-and-Drools-Guvnor-5-2-Integration-tp3276699p3276699.html
> Sent from the Drools: User forum mailing list archive at Nabble.com.
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
More information about the rules-users
mailing list