as long as your roles are fixed for the time span of the session of a user, you can handle it all in the login module. You still might decide that it is best to encapsulate your specific data base access into a custom user and/or role module though. It simply depends on your requirements.
But you can stay away from JACC, unless you need a more dynamic role membership (depending on more time critical parameters...)
Thanks mholzner - that was useful to know.
So. I implemented a LoginModule and replaced it in login-conf.xml and that works great.
Now I need to replace UserModule and RoleModule - do I?. Any pointers on how best to do this?
I see references to them in the jboss-portal.sar/META-INF/jboss-service.xml
Is it as simple as creating my own implementations and pointing these services at my classes? Replacing MBean services core to portal is stretching my understanding somewhat.
(using Portal 2.4.0 ALPHA now)
I've done that. We have an ugly old custom database that contains users and passwords. Suprisingly, it almost matches the JBOSS person mode, but for example I needed to do some customization for the enabled (we use isExpired which is boolean too but opposite :().
Another requirement for me is one I'm suprised isn't already supported; Mapping roles to groups instead of persons. In most application servers I can map roles to existing domain user groups or user database groups, and when we have a mass of a couple of hundred thousand potential users, we do need to have that.
So I did end up replacing UserImpl (to accommodate for our ugly database). This required me to do hibernate-mapping for them again (which was suprisingly easy). I also addded a new class GroupImpl with interface Group, and mapped one-to-many to user for it (User groups come from companies). Groups have same mapping to roles as person have. Also needed to change the hibernate config file for this domain, to point to mssql database instead of hsql which rest of the portal is using.
Then I needed to replace UserModuleImpl and RoleModuleImpl, mainly so that their Hibernate queries get proper objects. This requires to register the new objects in jboss-service.xml as well as for jboss-portlet.xml (they get injected to userportlet). Finally I replaced UserPortlet with a new one, that supports listing groups and registering roles for them.
Couldn't see much easier way to do what I wanted. Some people have shown you can use multiple authentication mechanisms, and just overwrite ModelLoginModule (IdentityLoginModule) to add users to Hibernate db if they have been authenticated elsewhere - however, this didn't work for me. Unfortunately my work hasn't been common enough to be contributed, pretty much custom work for custom purpose.
But all can be done, and it's suprisingly logical once you get to it, although much work too. And you do need to get familiar with registering jboss services etc, get a good book or buy some consultancy. :) Good thing is that user-role part is separated from other parts so can be done in a different database just by altering the hibernate mappings. I'm not a JBOSS expert per se, just have had to look into this part a lot recently.