Is there a way to force my Java EE application to use j_security_check for authentication, but not authorization? I want to do authentication through a Standalone LDAP Repository, but I want to do programmatic authorization in my application.

Specifically, I do not want to do any configuration around Authorization (user role mapping to groups) within the Websphere Application Server admin console.

For example:

1. User logs in with 'user1' and password 'password1' which are correct
2. Websphere finds this person in LDAP, knows they are who they say they are (Authentication)
3. I check from a file on the file system if this user is authorized or not (Authorization)

I suggest using Spring Security for this. We have implemented this exact pattern in WebSphere. The trick is to use the pre-authentication mechanism that Spring Security provides and then define only the authorization rules in the configuration.

<http>
  <session-management session-fixation-protection="none"/>
  <custom-filter position="PRE_AUTH_FILTER" ref="preAuthenticationFilter"/>
  <intercept-url pattern="/j_security_check" filters="none"/>
  <intercept-url pattern="/ibm_security_logout" filters="none"/>
  <!-- put authorization intercept-url elements here... -->
</http>

You have to define some other beans as well, such as the pre-authenticated filter and a custom entry point, but that's documented here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html

Have a look at Spring Security. The concepts of authentication and authorisation are split.

Authentication is handled by an AuthenticationProvider (an LdapAuthenticationProvider implementation is part of spring). The authentication provider delegates to fetch details of the user, which includes a list of GrantedAuthority objects which can represent a user's permissions.

LdapAuthenticationProvider by default attempts to get granted authorities from the directory, so you will need to provider your own LdapAuthoritiesPopulator implementation which loads from the file system.

Java EE Security can be split as well. It depends on your container's implementation however. Since you mention websphere this document might be of interest.