I would like to disable Jaas in a smart way (for developers environment mainly, but we would like to have SSO switch on/off feature on stage/prod env. also).
Authentication in my app looks like this (with SSO):
1. security-constraint defined in web.xml, form based, login page: loginSSO.jsp
2. not authenticated user goes to loginSSO.jsp and is redirected to external portal for authentication.
3. external portal authenticates and sends SAML token in redirect response
4. custom valve validate SAML token (extracts username and so on) and runs custom Realm which creates subject and principal.
5. SingleSignOn valve caches it for other web apps.
I would like to turn Jaas off somehow, so I could login in this way:
1. user goes into login.jsp (not loginSSO.jsp which redirects to external system) and provides username in simple form.
2. application takes username and authorize only based on username (no authentication) - this works currently fine when I comment security-constraint
I would like to avoid commenting security-constraint manually in web applications, because I'm sure that developers will forget to uncomment it befor production deployment.
Is there any way to turn Jaas off in a smart way (by changing global Jboss configuration, not by changing web application specific files) ?
You looked at Project PicketLink?