I was looking at how the SecurityAssociationHandler is being used in the JaasSecurityManager class. The JaasSecurityManager class contains an instance of the SecurityAssociationHandler. I may be missing something here, but when the authenticate method of JaasSecurityManager is called, it appears to always call the defaultLogin method which creates the LoginContext using the SecurityAssociationHandler instance (which only supports username and password callbacks). I can't see any way to make the JaasSecurityManager use a different callback handler (but as I said before, maybe I'm missing something). Also, I should mention, the 3.0 source I'm looking at is probably at least a month old.

However, I've figured out that I don't really need to use JaasSecurityManager. The answer is to write my own SecurityManager class. I couldn't just extend JaasSecurityManager because the methods I needed to override are private, so I just duplicated it and changed it so that I could use my own callback handler. This appears to have worked except now I'm running into a different issue with TimedCachePolicy but that's another post....

Thanks for the inquiry. I hope that by looking at the JaasSecurityManager class, you'll see why I think you're stuck with SecurityAssociationHandler (unless you implement your own SecurityManager). Again, I apologize if I've misunderstood something here. Thanks.

Terry

> Hi,
>
> Neither AbstractServerLoginModule nor
> UsernamePasswordLoginModule use SecurityAssociation.
> What makes you think you would have to use it in your
> login module?
>
> Luke.

Ah! Thanks for the tip Luke. I hadn't thought of using the SecurityAssociationCallback. I was able to use it to retrieve my custom Principal in the login module. This will allow me to use the JaasSecurityManager and still propagate my custom Principal. Thanks again.

Terry