Try to specify your question, if you want a valuable answer. You are asking a solution, which is firstly hard to explain in few words, second depends highly on the requirement of application.

And to be frankly, people helps to solve the concrete problem here, but not supply the whole solution. You may need to keep it in your mind.

======================

For your question, you have authentication service, you want use it to replace the original one from picketlink project.

Then you need try to find out the authentication process in gatein, which component is relevant in this process. choose which component should be rewrite to redirect the authentication process to your web services.

It is hard decision, and depends highly on the requirement and circumstance of your applications landscape.

And what is your plan for authorization, do you want also use authorization from picketlink or you also have independent authorization service?

in class ShareStateLoginModule.java in GateIn project.

there is code:

/*================================

String username = (String)sharedState.get("javax.security.auth.login.name");
         String password = (String)sharedState.get("javax.security.auth.login.password");
         if (username == null || password == null)
            return false;

         Authenticator authenticator = (Authenticator)getContainer().getComponentInstanceOfType(Authenticator.class);

         if (authenticator == null)
            throw new LoginException("No Authenticator component found, check your configuration");

         Credential[] credentials =
            new Credential[]{new UsernameCredential(username), new PasswordCredential(password)};

         String userId = authenticator.validateUser(credentials);

         Identity identity = authenticator.createIdentity(userId);

=====================================*/

which i believe is the authentication action for login.

It can be the start point for you to redesign your authentication:  Either rewrite here or rewrite the class Authenticator, or the class it uses.

IDM.pdf is a general relationship between different classes from different package in gateIn. It may not be 100% correct and precise.

I hope it can help you to understand the work principle of IDM in gatein.

First of all, users access and session is another service from Picketlink. It defines who have write to access which portlet. ( in portal level).

It may be implemented as IdentitySessionImp.java, see the IDM.pdf you may need find it by yourself.

Second, if you want implement your application as independent service in gatein, without code change, then you mean you write independent session control for login logout, and access control for your application instead of change the code from gatein.

In this way, you need to remember, this application also follows the security policy of gatein. If this application has own security services, it works only inside this portlet.

In this way, there are actually two levels for authentication.

1. User can login in the portal Gatein. After that, he will be authorized to be able to see your portlet or not. And user uses Username from repository of Picketlink.

2. User can login in your portlet. After that, he will be authorized by you to be able to access your services in this portlet, or other you implemented portlet. And user uses Username from your "personal" repository.

As my opinion, to cover your requirement,  either you try to connect pinketlink to your repository for authentication, and following the authorization policy of gatein to redesign the process and access for your web application.

or

you try to write your web application as independent portlet in gatein. However in this way, i don't way what kind of other services can you still use from gatein.

And in fact, change the repository of users and their access to web application (Web service has another meaning! ) is BIG change. It represents almost all tasks of Picketlink. If you have time, my suggestion is read the documents about it.