I have a JBOSS AS 4.3 web service application that has basic authentication using the 'UsersRolesLoginModule' configured using login-config.xml, web.xml, jboss-web.xml, user.properties etc. All authentication works fine till now!
The new 'unique' requirement (almost a reversal of the original requirement!!!) is that this authentication needs to be flag based! This is because the client may be delayed in getting the changes ready to invoke with username/password. Until then, we want the new changes to be deployed and "some configuration" on the server to switch OFF the authentication until the client is ready. When the client is ready, we switch the configuration ON. The idea is NOT to change the application ear!
In short, I would pass a null username and password, and it should go through. Tried the following ...
1. Setting 'unauthenticatedIdentity' property -- but it doesn't work!
2. Tried custom login module -- it doesn't get invoked when username and password is null!
3. Removing realm info from login-config.xml -- goes hunting for the defaultSecurityAuthentication i.e. defaultuser.properties
Interesting problem, and would like to know different views...
That's a weird and potentially problematic requirement in terms of security. But if that's what you want, then take a look at this Security on JBoss chapter http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html and pay special attention to section 8.4.4 which explains the possible values of "flag" attribute on a login module within a login module stack. I think you might be able to come up with something by properly setting up the login module stack and the flag attribute on them.