How does the authentication actually occur?
Is there something special in the HTTP messages or is it still a form of username/password authentication?
How do you authenticate with your remote system? Is it something like a database/ldap or something more specific?
My question is: Is in AS7 an interface where custom authentication stuff can be performed?
My special case is: I have an authentication server, which acts as reverse proxy (and it sits before the app server). So only authenticated requests come to the app server. So it is not the problem to prohibit non autheticated users to access app server. The problem is, that each authenticated user has some properties (e.g. belongs to which department, has some name, has some roles, ...). And I want to access these properties in a JEE way. In my tomcat valve I put these properties in a custom Principal. This principal can be accessed with JEE API calls (request.getUserPrincipal()) in the web app. request.isUserInRole() also works fine, so a developer can use declarative security with the standard JEE means.
=> Is there a way to do this in AS7?
Do you have any need for this to be propagaed on to an EJB tier at all or is it fine for this to just be visible in the web tier?
Actually I need it in the web tier. (Becaue we don't already have any EJBs, because we migrating from tomcat - but in future we will use EJB, and then we need it in the EJB tier.)
Whats the difference?
Do you have a solution for one of the both?
I don't have a solution for this, but if you do a real container authentication, then it should automatically propagate to the EJB modules. E.g. if request.getUserPrincipal works, the corresponding call should also work inside an EJB.
For this question, maybe the EJB issue is not that relevant and the focus should be on getting this request.getUserPrincipal to work. JBoss AS 6 and before had a very elaborate system for plugging in Login Modules (either your own or ones provided by JBoss), so I guess this really should be supported in JBoss AS 7 as well.