I have a requirement where in the JBOSS application should be able to look for a header variable[This would contain the username of the authenticated user by th external system ], trust this user and not prompt for re-authentication. If the HEADER-VAR is not present the authentication should be prompted.

While going through the forums, I came accross an option to write a Tomcat Valve or a Cutom Login Moudule to acheive this:

Unfortunately the picture is not clear to me.It would be great if someone could elaborate on these options.

Few queries are:
1. Using a valve:
-Where do we include this valve such that it will get invoked before authenticator?
-After checking for header in request, what other operation need to be performed, such as Context/Principal setting, So that the container will understand that Authentication is not to prompted.
-Do i need to implement a Custom Login module even if I use a valve?

2. Using custom Login module
Login module doesn't have request handler, what would be the option to retrieve request header in this case? Implementing Cutom Callbackhandler too won't work since no callback implementation that retrieve header info.

Am new to JBOSS/JASS.
Your help in meeting this requirement is appreciated.