The application Im currently working on right now has a custom login, not just a username/password so I cant use the FORM authentication that all the standard web containers can offer me. There are three pieces of information that the user needs to send so that he or she can be authenticated.
I wanted to use a standard method of authenticating the user. I know that the JAAS architecture addresses this issue with the Callbacks, but how can I integrate this with my application? How do I send the http request information to my jaas login module and how do I integrate this with the container so that my servlets can call .getUserPrincipal() and .isUserInRole() and that the principal can be propagated to my EJBs?
This application will be deployed on both JBoss and OC4J... can anyone help me?
I found the answer for doing that in JBoss. The following link was helpful to me:
All I need to do is extend org.jboss.security.auth.spi.AbstractLoginModule and implement the getIdentity() and the getRoleSets() methods.
However, I'm still having some trouble with OC4J. I found the security guide at http://docs.jcu.edu.au/appserver_904_doc/web.904/b10325/loginmod.htm and it says what I should do to integrate my custom login module to the application. It says that all I need to do is to add the propper principal objects to the Subject, but how is it gonna tell which principals are roles, which are identities and which is the primary identity? What should I do? Is there a specific Principal implementation?? Please, I need help!