Does WebSphere 8 have something analogous to Tomcat Valves for request interception(that isn't in-app Servlet Filters..)?

Question

I've got to configure an existing app that is typically deployed on Tomcat or Jetty onto WebSphere Application Server v8. The main problem that I have is that in the environment it'll be deployed in, it's expected to handle authentication/authorization via JAAS. Unfortunately the application uses a home-brewed authentication system and isn't compatible with JAAS or WebSphere's implementation of JAAS.

So far, in order to provide a shim that will allow the app to live harmoniously on WebSphere, I've been trying to write a WebSphere trust association interceptor to pull a Subject from websphere's interface(via a call to com.ibm.websphere.security.auth.WSSubject.getCallerSubject()) and place it into the HttpServletRequest where through the course of it's normal operations my webapp will then pull the added attribute for our use. But that seems...tricky. It seems very purpose built and it seems like we can't use it for this type of operation.

Ideally, I'd like to keep away from in-app Filters because I'd like to keep IBM-specific code out of the app as much as possible.

Does anyone here have any suggestions?

Answer 1

A possible solution is to use a filter residing outside of the application similar to the following example:

https://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101859

This will still be a a part of the filter chain and function the same way as any other filter, but the code will not be part of the application. It will reside in a separate jar file.