10.4. Extending the Authentication System

The main strength of PAM is that the system may be extended with new authentication technologies. This is done by implementing new LoginModules. For example, an LDAP server can be used to authenticate a user by username and password. To integrate this behavior into WAF, a new login module (for example, LDAPLoginModule) must be defined.

LDAPLoginModule would replace LocalLoginModule in the login configuration. It needs its own configuration information to determine how to connect to the LDAP server. This information can be hard-coded into the module, read from a file, provided by an Initializer, or passed as an option in the login configuration.

If the LDAP username does not match the WAF username, another login module must be defined to map the LDAP username to a WAF user ID. This module, (for example, LDAPUserLoginModule), would replace UserIDLoginModule and must implement MappingLoginModule.getUserID(username) appropriately.

Changing the authentication recipe involves editing the sequence of login modules in the login configuration. For example, you can create a variety of authentication sequences in the login configuration by combining various login modules:


Not all of the combinations will make sense in terms of authentication practices, and may even be a security risk. As part of your exploration with authentication, you can read up on the specifics at http://java.sun.com/security/jaas/apidoc/javax/security/auth/login/Configuration.html.