It seems you need to configure the authenticator and/or have a  constraints in the webapp you are using

In my context.xml file, I define a Valve

<Context>

  <Valve className="com.mycompany.auth.MyValve" />

</Context>

Doesn't this become my configured authenticator for the context? MyValve extends AuthenticatorBase which implements Authenticator. It is a valid authenticator.

I have also tried numerous changes in the web.xml with and without constraints. But it is my understanding that one of the reasons for this functionality is to remove the dependency of having constraints and just allowing a dynamic login.

(http://blogs.sun.com/nithya/entry/new_security_features_in_glassfish1)

Anyway, here is my current web.xml:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"

          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
              http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
          version="2.5">

  <servlet>
     <servlet-name>AuthenticationServlet</servlet-name>
     <servlet-class>mycompany.AuthenticationServlet</servlet-class>
   </servlet>

  <servlet-mapping>
     <servlet-name>AuthenticationServlet</servlet-name>
     <url-pattern>/hello</url-pattern>
   </servlet-mapping>

  <welcome-file-list>
     <welcome-file>index.html</welcome-file>
   </welcome-file-list> 
 
  <security-constraint>
     <display-name>Security Constraints with  Authorization</display-name>
   
     <web-resource-collection>
       <web-resource-name>AuthorizedPages</web-resource-name>
       <url-pattern>/hello</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
   
    <auth-constraint>
       <role-name>*</role-name>
    </auth-constraint>
    
    <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
  </security-constraint>

   <security-role>   
    <description>Authorized user  roles</description>
    <role-name>*</role-name>
   </security-role>

  <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>authentication</realm-name>
   </login-config>

</web-app>

Maybe JBoss has sample code that shows how this works? Or maybe there is a different way to configure an authenticator?

Ok. I have found a way to get it to work but it has become unnecessarily complex.

In the Valve::start() method, if I add

     this.context.setAuthenticator(this)

then it works. The real problem is that the setAuthenticator method only exists in the new servlet 3.0 so it can't be assumed to be there, which means you have to create a way to handle this.

I guess what I was expecting was something like this:

<Context>

  <Valve className="com.mycompany.auth.MyValve" setAuthenticator="true"/>

</Context>

Then it is easy to configure and the Valve can easily throw any values it doesn't recognize (for code that predates the setAuthenticator stuff)

Is this the expected way of handling this? Is there a better way?

Unfortunately, not quite the same. A context can now have a default Authenticator associated with it, which is what I am trying to accomplish. The new 'setAuthenticator()' method appears to be specific to the JBossWeb implementation as no such method exists in the Tomcat code (even Tomcat7)

My suggestion would be for JBoss to provide a more elegant way of configuring this, much like the login-config.xml is used as a better way to  configure where Tomcat requires a jaas.conf file. I think it would be nice to provide this in the context.xml file like I suggested earlier.

Do any of the JBossWeb developers ever see suggestions from here?

Yes, I think that is it. The ContextConfig class has a method authenticatorConfig() which will configure a Valve that implements Authenticator as the default authenticator.

I will look forward to trying the M4 release.