I'm building a JEE6 project on a Glassfish server and I'm trying to authenticate in the following way:
-Use the JOpenId library to authenticate with Google Server
-Redirect to a servlet that requests Google Oauth2 access
-Redirect to a JSF index page that is restricted to authenticated users.
I could manually build authentication in every single webservice, web servlet and JSF page, but it's easy to forget this security rules, so I'd prefer to use a security mapping in web.xml.
As far as I can see however, the build in security provider is pretty limited to custom programmatic authentication. I don't want to use the predefined "form" authentication of Glassfish either, because I'm already using openid.
I'm trying to achieve something like this, but without form login.
http://stackoverflow.com/questions/9082208/programmatically-add-roles-after-authentication When I try to edit an javax.security.auth.Subject object, it throws me a 'subject is read-only' error.