WebSphere (traditional) . In the case of container-based authentication with the custom user registry , when the login error from the web application failed, we used the main reason for the failure by calling:
com.ibm.websphere.security.auth.WSSubject.getRootLoginException();
The above API exists at: {Server_Root_Dir} /AppServer/plugins/com.ibm.ws.runtime_x.yzjar
The decompiled source code of the getRootLoginException() method:
public static Throwable getRootLoginException(){ return ContextManagerFactory.getInstance().getRootException(); }
WebSphere (Liberty) . In the case of container-based authentication with the custom user registry we cannot find the root cause of the login failure by calling:
com.ibm.websphere.security.auth.WSSubject.getRootLoginException();
The above API exists at: {Server_Root_Dir} /lib/com.ibm.websphere.security_x.yzjar
This is because the decompiled source code of the getRootLoginException() method:
public static Throwable getRootLoginException(){ return null; }
But at https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/security/auth/WSSubject.html
IBM claims that:
public static java.lang.Throwable getRootLoginException ()
This convenient method returns a root login exception, the login module, if one exists.
It will catch an exception from the current thread. You will get that the login module is considered as a root exception. This may be a nested exception. You may have to catch the exception from the exception returned until you get the real root exception.
Returns: A Throwable containing the root login exception. If an input exception does not occur, null is returned.
I would like to know which API to call in WebSphere (Liberty) in order to find the root cause of the login failure.
Why is WSSubject.getRootLoginException () required:
The custom implementation of com.ibm.websphere.security.UserRegistry requires that you confirm the username and password entered by the web application user by providing your own definition of checkPassword(String userSecurityName, String passwd) . See http://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/csec_customauth.html
If the user provides incorrect information, you can send PasswordCheckFailedException or CustomRegistryException with your message. This checkPassword(String userSecurityName, String passwd) actually called by WebSphere (traditional or Liberty) from JAAS javax.security.auth.spi.LoginModule.login() and PasswordCheckFailedException or CustomRegistryException , and their messages are wrapped with javax.security.auth.login.LoginException selected.
To provide feedback to the web application user, we need to get an exception thrown from javax.security.auth.spi.LoginModule.login() . The way to do this is by calling com.ibm.websphere.security.auth.WSSubject.getRootLoginException() from the servlet filter. This works fine in WebSphere (traditional), but no more in WebSphere (Liberty). The problem is that IBM has not documented this restriction anywhere.