Adding HTTP response header in j_security_check

In WebSphere, the login stuff is handled by the /j_security_check servlet if configured to use federated repository, which is at the top of the WAS invocation chain and there’s on way to intercept the invocation in web.xml. But the login module (which is based on JAAS, Java Authentication & Authorization Service) itself provides a full mechanism of interception and chaining. Besides the open standard JAAS, IBM also develops an proprietary extenstion mechanism named TAI(Trust Association Interceptor). Advanced authentication in WebSphere Application Serveris a good article about this along with a full example. And it’s the main source of this wiki page. It is strongly recommended to read the above link if you want to find out more. Another good reference is the IBM redbook “Websphere Application Server V6.1 Security Handbook”.
WebSphere defines 4 system login configuration that are used in specific siturations related to security:


The picture above shows a simplified view of the authentication flow for the WEB_INBOUND configuration:
Web_INBOUND flow
So our custom login module can be placed at the bottom of the chain.
The custom login module can use callbacks to obtain information relevant to the authentication from the envirnoment. In our case, we need to obtain an HttpServletResponse instance in order to populate the P3P header attirbute. There are several callbacks that are available for WEB_INBOUND:

  • NameCallback
  • PasswordCallback
  • WSCredTokenCallbackImpl
  • WSTokenHolderCallback
  • WSServletRequestCallback
  • WSServletResponseCallback
  • WSAppContextCallback

There’s an demostrative example of populating P3P headers in the attachments. There are a few tips while developing and deploying the module:

  • The java version of the byte code should be compliant with WebSphere runtime environment
  • The WebSphere jar file which contains the WSServletResponseCallback lies in WS_ROOT/runtimes/
  • The output class file should be packed in a jar file and placed in WS_ROOT/lib/ext for WebSphere can reach it globally


  1. A similar procedure is also presented in with snapshots.
  2. Open your WebSphere Administrative Console -> Security -> Secure administration, applications, and infrastructure
  3. In the “Authentication” fieldset on the right, follow “Java Authentication Authorization Service” -> “System Logins” -> “WEB_INBOUND” -> “JAAS Login Modules”
  4. Click on “New” button, then input the classname of your custom login module. In this case is “demo.P3PAfterLoginModule”. Check “Use login module proxy”. Save the custom module.
  5. You can adjust the order of the execution of your custom modules. Since our module is intended for the last one, it is not necessary to do this step.
  6. Flush your modification to the configuration file and restart WebSphere.