How to implement a custom authentication module in AS 7?
Background: I have several webapps running on Tomcat. I have an external authentication system (running outside Tomcat) which authenticates users and also returns the users roles granted by the authentication system. I wrote a Tomcat valve which speaks with the (external) authentication system. If the user cannot be authenticated, the valve blocks the request, otherwise this valve creates a Principal instance, which can be accessed in the application (request.getUserPrincipal()).
Now I want to switch to AS 7 with my apps. How can I add such functionality to AS 7?
(I tried Glassfish and wrote a JASPIC-JSR196 module, but AS 7 does not support JSR196. So is there a way in AS7 to do that?)
My question is: Is in AS7 an interface where custom authentication stuff can be performed?
My special case is: I have an authentication server, which acts as reverse proxy (and it sits before the app server). So only authenticated requests come to the app server. So it is not the problem to prohibit non autheticated users to access app server. The problem is, that each authenticated user has some properties (e.g. belongs to which department, has some name, has some roles, ...). And I want to access these properties in a JEE way. In my tomcat valve I put these properties in a custom Principal. This principal can be accessed with JEE API calls (request.getUserPrincipal()) in the web app. request.isUserInRole() also works fine, so a developer can use declarative security with the standard JEE means.
=> Is there a way to do this in AS7?
I don't have a solution for this, but if you do a real container authentication, then it should automatically propagate to the EJB modules. E.g. if request.getUserPrincipal works, the corresponding call should also work inside an EJB.
For this question, maybe the EJB issue is not that relevant and the focus should be on getting this request.getUserPrincipal to work. JBoss AS 6 and before had a very elaborate system for plugging in Login Modules (either your own or ones provided by JBoss), so I guess this really should be supported in JBoss AS 7 as well.