I extended the JAAS javax.security.auth.spi.LoginModule, and installed it into a WAS server. It works; all logins go through the code in this new class, and if it says to not let them login, they're prevented from logging in.
The root problem: I don't want it to filter logins for the admin console (/ibm/console), but I do want it to filter logins for other things on the server. I think that with the available setup, the login module applies to everything installed on the server, including the administration screens.
I'd like to solve that by getting the URL of the page that triggered the call to the LoginModule. If I were using WebLogic, I'd use a URLCallback to get the URL. Does anyone know if Websphere Application Server has any parallel functionality to that, or if there's another workaround?
As the potentially useful added information, I can't apply JAAS to individual apps on the server; the deployment descriptors are greyed-out in the admin console. I can only apply new JAAS JAR modules to the entire server, which is a problem for me.