Well – JAAS and GlassFish. I naively assumed this would be easy to get to work. It’s not.
I started out by building a login module that extended
AppservPasswordLoginModule and plugging it directly into
login.conf. I then created a Realm that used it and continued on my merry way.
The moment I tried to extend beyond a simple user name and password (being passed through vi the
j_security_check form) things broke down.
It turns out that the Realms in GlassFish don’t allow you to plug in “any” JAAS compliant LoginModule. In fact they seem to assume that any kind of authentication you want to do relies on username and password. That makes sense as the realm handles the user input, so if you want to deviate from that standard, you need to go outside what the realm can handle.
In the end, I ended up implementing a JSR 196 SAM (ServerAuthModule). This in turn was an interesting exercise – much of the stuff that GlassFish looks after for you in configuration now needs to be handled directly. For example detecting a not logged in user and redirecting to a login page and then redirecting back when the auth occurs. My SAM plugs direct into GlassFish and I no longer use the realm for those parts of the app with my customised authentication process.
Very interesting. But I now have a SAM that operates as a login bridge and calls a JAAS LoginModule implementation for my authentication.