In a test application with a simple REST web service, as an example, I tried using JASPI for java-ee security.
JASPI quickly worked with Wildfly. At this point, I just implemented the ServerAuthModule interface and configured this module in the server configuration, and everything was fine. Please note that the auth module class was only part of my application.
I could not get it to work in Websphere, this time, as far as I know, implementing exactly this: http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html . Once my application was deployed, I had problems:
- Authentication is completely ignored in my application, although it is listed as required for all resources in web.xml. The login module is not called.
- Now the weirdest part: Websphere’s own admin console does not work with 403 Forbidden status code. I can somehow make some parts of it display when forcing the correct username in my authentication module! Each console request triggers breakpoints in my entry module.
Deploying using the wsadmin command-line console or even from java instead of the admin console does not look like this (as expected, but I saw strange things in this aspect).
Enabling JASPI and application security in Websphere does not change anything.
Anything I could fix? Do you know any sample using JASPI that works in Websphere?
EDIT: Java EE 7 Samples: websphere, .