Hi,
I am trying to implement a custom JAAS module on Integration Server 9.8 where I want to read HTTP headers and then do authentication based on the content of the headers.
I was successful in setting up a basic JAAS implementation outlined in the Integration Server Administrators Guide “Customizing Authentication Using JAAS” section that reads username and password.
However, the problem arises when I try to implement my module that ONLY reads from custom HTTP headers. I have set up logging in my code, and when I pass in only the custom headers, I get rejected right away with nothing written to the log and a com.wm.app.b2b.server.ServiceException: com.wm.net.NetException: [ISC.0064.9314] Authorization Required: [ISS.0084.9004] Access Denied error. The server log shows the below when this occurs:
[72408]2016-05-24 09:09:46 MDT [ISC.0038.0002D] → HTTP/1.1 401 [ISS.0084.9004] Access Denied
[72407]2016-05-24 09:09:46 MDT [ISS.0142.0002D] Unregistered Lifecycle Listener com.wm.app.b2b.server.HTTPLifecycleListener@2aa551ff is true
[72406]2016-05-24 09:09:46 MDT [ISS.0007.0006D] ACLManager: allow check for user “local/Default” on service “pub.date:getCurrentDateString” is returning false.
[72405]2016-05-24 09:09:46 MDT [ISS.0007.0003D] ACLManager: allow check for user “local/Default” on ACL “Internal” is returning false.
[72404]2016-05-24 09:09:46 MDT [ISS.0007.0003D] ACLManager: allow check for user “local/Default” on ACL “Internal” is returning false.
So for some reason, Integration Server is defaulting to the Default user when I don’t pass in a username explicitly. Since Default does not have permissions, the request gets rejected. However, when I add Default to the Administrators group, the module works and I am authenticated. Even though I pass user information of an Administrator user in the headers, it still exhibits this behavior. Is this always the behavior of Integration Server? Can you tell Integration Server to NOT use Default user for the requests where username is not explicitly provided, or somehow tell it to check authorization via ACLs using the user information I pass in the headers?