I'm writing an application that I plan on securing with JAAS. The application's user will be authenticating/authorizing against a SQL database. I need a bit more functionality than provided by org.jboss.security.auth.spi.DatabaseServerLoginModule.

Is it workable to extend DatabaseServerLoginModule and distribute it with my application? If so, will the standard conf/login-config, web.xml, jboss-web.xml scheme still work even though the module code is in a different package? On the other hand, is it considered best practice to implment LoginModule myself and if so, how will the http invoker know to execute this code?

Thanks for your patience.