I am trying to build a website runing on Sun app server. the site will have to be launched from other legacy site which will provide a single access token as request parameter for authentication. I want to create a customized authentication module to handle this access token, verify it, then tell web container the user is valid/invalid. I try to do in by extend the PasswordLoginModule class provided by Sun app server the problem is looks like the class only accept username and pasword as authentication input parameters so does its parent LoginModule. I am wondering if there is a way or workaround to bypass the username/password thing so I can check my access token.
The access token will be verified against database.
Hi Raymond, effectively the sun one app server forces you to extends the sun's PasswordLoginModule and not directly the LoginModule. i think it is a drawback..... another option would be to configure jGuard (http:/jguard.sourceforge.net) on your application server, and use your loginModule (which extends directly LoginModule) with the jGuard configuration. => the requirement to extends passwordloginModule seems to be reaised by proprietary application server design....(bad j2ee security specification consequences...). jGuard integrates JAAS in your j2ee environment without any proprietary issue.