For my webapp I am trying to combine the NtlmHttpFilter (http://jcifs.samba.org) with JBoss' LdapLoginModule.
I managed to get the LoginModule to work. The drawback is that I always have to enter my windows login name and password when accessing the web page for the first time.
I also managed to get the NtlmHttpFilter to work (in another webapp). I configured the filter in the web.xml and it works really fine - meaning I don't have to enter my username and password and my jsp page displays the correct username. The drawback here is that I haven't found a way so far to create the Principal for the user (including roles) and supply that to JBoss security.
But what I want to achieve is the following:
1. go to the web page
2. the servlet filter uses NTLM (or SPNEGO) and tries to do real (Windows-)SSO.
3. if the servlet filter is successful it fills the principal object and hands it over to jboss
4. in case Windows-SSO doesn't work (ex. I am using Mozilla on Unix) the LoginModule jumps in and asks me for my username and password
I know that there is an option for the NtlmHttpFilter to do basic authentication but I don't want to use that since the LdapLoginModule works really good and because I already extended this module to add some more specific roles and do some more validating.
As I found out from reading other posts around here it seems like servlet filters are called after the LoginModules. So what can I do do combine both ways of authentication?
Thanks for any hints on how I can achieve this.