Hi Henry, I vaguely remember seeing the same problem in WAS6. WebSphere documentation says: A username and password must be specified in the callback handler. Custom classes that are added to the Subject on the client side should get propagated to the server automatically whenever security attribute propagation is enabled. You can set the password to null if you want to use identity assertion without a password. (http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tsec_pacs.html)
So when either a null or an empty string password is supplied to the WAS login module, it takes it as an implicit sign that you want to do identity assertion instead of authentication, and therefore succeeds as long as the user id is valid. As a workaround, I have seen people write their own login module that simply rejects any null or empty password. Then they chain this login module with the native WebSphere login module, so the latter can check credentials where a password is supplied. This is just a workaround however. Again I am not a WAS expert and you should probably contact one for further help. Hope this helps. Tihomir On 8/22/11 8:01 PM, hpham1067 wrote: > I've Guvnor working with Websphere 7.0 pretty well. That said, I've having > problem using JAAS with WebsPhere WSLogin login implementation module, i.e. > com.ibm.ws.security.common.auth.module.WSLoginModuleImpl. It seems that > Guvnor will accept the any user authentication if you specify a blank > password at the login screen. If you type in a wrong password in it work as > expected but a blank or no password Guvnor will let the user login no > question ask. Has anyone encounter this issue. Thanks in advance for your > help. > > - Henry > > -- > View this message in context: > http://drools.46999.n3.nabble.com/Websphere-7-0-and-Drools-Guvnor-5-2-Integration-tp3276699p3276699.html > Sent from the Drools: User forum mailing list archive at Nabble.com. > _______________________________________________ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > _______________________________________________ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users