EJB design: Does JASS LoginModule work as cross appserver security impl?

  1. We are developing an J2EE based application which can be deployed on oracle, weblogic or websphere. We store user ids and encrypted passwords in our database and I need to build a security solution that works across app servers. I realize that each vendor has their own api for implementing custom user managers, but what I was hoping to do is create a custom LoginModule that knows how to access our database, then configuring the appserver to use that. Unfortunately I have not found a lot of documentation from the vendors about how to use custom JAAS modules -- everything is about the ones they provide.

    Has anyone else successfully done something similiar? Building the LoginModule and principal objects are easy, but there is not much point in doing that if the app server has no way to use them.
  2. Jboss covers that how to build custom login modules in the paid doumnation with a small example.

  3. You will probably need to make small customizations of the implementation for the various Application servers. For example, on BEA, you need to develop a AuthenticationProvider, and as far as I know, you need to add WLSUserImpl and WLSGroupImpl Principals. You can find sample code from the link provided

    Basically, it can be done, but will take a bit of effort. Hope that helps