Sometime you desire to perform authentication of web applications hosted on JBoss Application Server using any of the HTTP request aspects. It can be headers, cookies or request parameters.

There are two ways to do based on the constraints of each method.

Method 1: Use a Tomcat Authenticator

JBoss AS provides GenericHeaderAuthenticator that can perform authentication based on http headers.

If you desire to use cookies or request parameters, look at the source code of GHA and write an authenticator yourself.

Benefits

1. You can control the username under which the authentication is performed.

Constraints

• You will have to configure the authenticator in a WEB-INF/context.xml

Method 2: Use a JAAS Login Module

Assuming your web app is configured with security constraints in web.xml, you can write a login module to pick up the entire http request and then perform whatever authentication you want to do. You can read cookie values, http header values, request params, SAML Tokens, OpenID tokens, Custom tokens etc and influence the authentication.

Benefits

• Complete control over the authentication semantics.

Constraints

• You cannot influence the username under which the authentication is done. The username is whatever the JAAS framework was called with.

How to do Method 2?

1. Write a JAAS Login Module that extends org.jboss.security.auth.spi.AbstractServerLoginModule
2. In the login method, you can get the servlet request by "Get Servlet Request"
3. Override the getIdentity method to return a principal
4. Override the getRoleSets method to return a Group Principal that contains principals representing roles. The Group Principal is from the JDK here.
5. For more guidance on how the login module should look like, take a look at the JBoss login modules in the package: http://anonsvn.jboss.org/repos/jbossas/projects/security/security-jboss-sx/tags/2.0.4.SP7/jbosssx/src/main/java/org/jboss/security/auth/spi/