We are using Wildfly 8.0.0.CR1 and have an EAR containing an application which is accessible via (JSF2) webinterface and also EJB-RMI.

When trying to secure the webapplication, one can find many tutorials, documentation and libraries. But it is hard to find documentation which describes what is really going on when coming to the remoting part of the application (how does the login-process work, where are the credentials or the session-information stored, ...).

In our domain model of the application we have Person- and User-entities which are stored in a database. The idea is to have the same usernames and credentials in the web interface and the remote interface. One property of the user is the authentication method, which identifies if the user has to be authenticated via LDAP or database or any other mechanism. So I was thinking of writing an extension for Wildfly to leverage our model's capabilities.

When I did this for JBoss AS 5, I implemented my own JAAS login module by implementing javax.security.auth.spi.LoginModule and registered it in the login-config.xml configuration file.

After reading Security Realms - WildFly 8 - Project Documentation Editor I could do the same with Wildfly8 (using the jaas authentication), but a red bar in this documentation tells me that this is not the way to go. It sounds more sophisticated to use the plugin-mechanism to extend the Wildfly security subsystem for my needs.

But as far as I understood, the plugin must be a separate module which is situated in ${WILDFLY_HOME}/modules. But then, it is not part of my application any more. I cannot use my model-classes, DAOs, business-logic, ... . Instead, I have to duplicate some knowledge and code.

So is there a way to fulfill our requirements using the plugin-mechanism? Or is JAAS our only solution?