Integration Server 9.8 JAAS Implementation

Hi,

I am trying to implement a custom JAAS module on Integration Server 9.8 where I want to read HTTP headers and then do authentication based on the content of the headers.

I was successful in setting up a basic JAAS implementation outlined in the Integration Server Administrators Guide “Customizing Authentication Using JAAS” section that reads username and password.

However, the problem arises when I try to implement my module that ONLY reads from custom HTTP headers. I have set up logging in my code, and when I pass in only the custom headers, I get rejected right away with nothing written to the log and a com.wm.app.b2b.server.ServiceException: com.wm.net.NetException: [ISC.0064.9314] Authorization Required: [ISS.0084.9004] Access Denied error. The server log shows the below when this occurs:

[72408]2016-05-24 09:09:46 MDT [ISC.0038.0002D] --> HTTP/1.1 401 [ISS.0084.9004] Access Denied
[72407]2016-05-24 09:09:46 MDT [ISS.0142.0002D] Unregistered Lifecycle Listener com.wm.app.b2b.server.HTTPLifecycleListener@2aa551ff is true
[72406]2016-05-24 09:09:46 MDT [ISS.0007.0006D] ACLManager: allow check for user “local/Default” on service “pub.date:getCurrentDateString” is returning false.
[72405]2016-05-24 09:09:46 MDT [ISS.0007.0003D] ACLManager: allow check for user “local/Default” on ACL “Internal” is returning false.
[72404]2016-05-24 09:09:46 MDT [ISS.0007.0003D] ACLManager: allow check for user “local/Default” on ACL “Internal” is returning false.

So for some reason, Integration Server is defaulting to the Default user when I don’t pass in a username explicitly. Since Default does not have permissions, the request gets rejected. However, when I add Default to the Administrators group, the module works and I am authenticated. Even though I pass user information of an Administrator user in the headers, it still exhibits this behavior. Is this always the behavior of Integration Server? Can you tell Integration Server to NOT use Default user for the requests where username is not explicitly provided, or somehow tell it to check authorization via ACLs using the user information I pass in the headers?

Hai,

I believe the way it work is with minimum basic authentication to be provided and so passing the user/credentials will default work for HTTP. Is it possible for you to change it to HTTPS/request cert based from the module to avoid explicit authentication?

HTH,
RMG

Hi RMG,

At this time I cannot switch to HTTPS.

Please check this article and it sounds you cannot bypass basic auth:

https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?KEY=110230-13200358&DSN=PIVOTAL&DST=TCD&HL=1&QUERY=ISS.0084.9004&SessionID=922202236

HTH,
RMG

Hi RMG,

Thank you for posting that article. It is exactly the behavior we are seeing. This helped a lot.