1 Reply Latest reply on May 10, 2012 1:10 PM by j4m3s

Custom LoginModule sorted in standalone.xml - but one last problem

j4m3s Apr 25, 2012 10:39 AM

I've managed to implement a custom LoginModule that's deployed to AS7.1.1.Final an working well - with one problem. I can't figure out how to stop the server prompting for a username and password. I don't need them in my module (I authenticate based on a sessionID set by a proxy server), but can't find how to stop the server from generating the BASIC login box.

In order to tell jboss/ tomcat to use my LoginModule I've added the <login-config> section in my web.xml file - with, you've guessed-it,

<auth-method>BASIC</auth-method>

If I remove the auth-method section altogether, the app won't deploy. If I remove the whole <login-config> section, my LoginModule never gets called, a 403 is returned to the browser straight-away (even though the LoginModule is specified in jboss-web.xml).

What should I use in the auth-method element to prevent the browser prompting for user credentials but simply pass straight through to my LoginModule? I've read a bit about valves - is there a "null" one that I need to deploy to get tomcat to simply pass-on to the LoginModule?

Thank you,

James.

1. Re: Custom LoginModule sorted in standalone.xml - but one last problem

j4m3s May 10, 2012 1:10 PM (in response to j4m3s)

I had to write my own Tomcat Authenticator valve (extended AuthenticatorBase) and could then set the auth-method to either CLIENT_CERT or SECURITY-DOMAIN.

This took a long time to figure out on my own given the variety of versions of the documentation - I hope posting the answer here saves someone else a lot of time.
Actions