Troubleshooting
Problem
TroubleShooting for problems with IBM WebSphere Application Server programmatic login using Java Authentication and Authorization Service (JAAS). This should help address common issues with this component before calling IBM support and save you time.
Resolving The Problem
Getting background information on programmatic login
WebSphere Application Server provides a Java Authentication and Authorization Service (JAAS) login module for an application to perform programmatic authentication to the WebSphere Application security runtime.
There are two built-in JAAS login configurations that programmers can use:
- WSLogin - a generic JAAS login configuration that performs authentication based on a user ID and password or a token.
- ClientContainer - a JAAS login configuration that uses the CallbackHandler specified in the client container deployment descriptor.
Alternatively, you can define your own JAAS login configuration.
Go here for instructions on how to configure programmatic login for JAAS.
Go here for instructions on how to develop programmatic logins with JAAS.
TroubleShooting questions to help resolve JAAS login problems
1. Do you get a login exception after issuing the LoginContext.login API?
Find the root cause by pulling out the exception wrapped by the com.ibm.websphere.security.auth.WSLoginFailedException class.
See the sample code here.
2. Does WSSubject.getCallerSubject() return null or is the subject not associated with the request?
There will be no JAAS subject constructed (getCallerSubject will be null) for the executed thread after programmatic login, unless an application first sets the subject (usually by calling the JAAS doAS method or setRunAsSubject).
How to associate a subject with the current context by calling doAS
Code Examples
Example: Getting the caller subject from the thread
Example: Overriding the RunAs subject on the thread
Example: Programmatic logins
JAAS login sample
Go here for sample JAAS login code
JAAS login with failover
1. If you know all possible host and port numbers at configuration time, you can list all hosts and ports in sas.client.props, and hosts(ports) are separated by '|' .
For example:
com.ibm.CORBA.securityServerHost=host1|host2|host3
com.ibm.CORBA.securityServerPort= port1|port2|port3
programmatic login will automatically failover among hosts.
OR
2. If you know all hosts and ports at programming time, you can comment out the following two properties from sas.client.props
com.ibm.CORBA.securityServerHost=
com.ibm.CORBA.securityServerPort=
and use the following sample code to perform programmatic login
..............
Properties props = new Properties();
"corbaloc:iiop:CLIANG10.austin.ibm.com:2809,:cliang1.austin.ibm.com:2809";
props.put(Context.PROVIDER_URL, "corbaloc:iiop:host1:port1,:host2:port2,:host3:port3";);
InitialContext ctx = new InitialContext(props);
Object obj = ctx.lookup("");
.......................
LoginContext loginContext =
new LoginContext("WSLogin",new
com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl());
loginContext.login();
Note that if you do not comment out host and port from sas.client.props, client application will always use host from sas.client.props, and ignore application specified host and port.
3. If host and port numbers are not known at programming time or at configuration time, and are passed into login module dynamically, programmatic login can be implemented to login against a different host for each request.
...............
Properties props = new Properties();
props.put("com.ibm.websphere.naming.jndicache.cacheobject","cleared");
props.put(Context.PROVIDER_URL, "host:port");
InitialContext ctx = new InitialContext(props);
Object obj = ctx.lookup("");
.......................
LoginContext loginContext =
new LoginContext("WSLogin",new
com.ibm.websphere.security.auth.callback.WSGUICallbackHandlerImpl());
loginContext.login();
Samples Gallery
The Samples Gallery provides a JAAS login sample that demonstrates JAAS with WebSphere Application Server. The sample uses a server-side login with JAAS to authenticate a user with the security run time for WebSphere Application Server. The sample demonstrates the following technology:
- Java 2 Platform, Enterprise Edition (J2EE) Java Authentication and Authorization Service (JAAS)
- JAAS for WebSphere Application Server
- WebSphere Application Server security
Go here for instructions on the Samples Gallery. The JAAS login sample is one of the Technology Samples.
What to do Next?
If the preceding steps did not help solve your problem, see the MustGather for JAAS login to continue your investigation.
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.5.5;8.0;7.0;6.1;6.0.2;6.0.1;6.0","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21232389