I'm trying to re-factor a java web app so that the authentication is configurable (using a configured auth.login.defaultCallbackHandler). That way anyone that uses the source code for this application can easily configure their own authentication.
From the reading I've done, the CallbackHandler (see javax.security.auth.callback.CallbackHandler) is responsible for prompting the user for things such as username and password. The examples, however, that I've seen are stand alone applications. I have yet to find an example of a web application that uses the CallbackHandler to prompt the user.
It's looks easy enough to instantiate my own CallBackHandler passing an HttpServletResponse into the constructor. Then the CallBackHandler could write the response page or redirect. When that page is submitted then a different instance of the same CallBackHandler would inspect the HttpServletRequest and see that a user name and password were supplied.
But, I would really like to configure the auth.login.defaultCallbackHandler. That way others sharing the code will be able to configure the app to use their own CallBackHandler code.
Does anyone know how to do this? Basically I think I need a way for my CallBackHandler to have access to HttpServletRequest/HttpServletResponse. But the auth.login.defaultCallbackHandler configured CallbackHandler requires an empty constructor.