I've managed to implement a custom LoginModule that's deployed to AS7.1.1.Final an working well - with one problem. I can't figure out how to stop the server prompting for a username and password. I don't need them in my module (I authenticate based on a sessionID set by a proxy server), but can't find how to stop the server from generating the BASIC login box.
In order to tell jboss/ tomcat to use my LoginModule I've added the <login-config> section in my web.xml file - with, you've guessed-it,
If I remove the auth-method section altogether, the app won't deploy. If I remove the whole <login-config> section, my LoginModule never gets called, a 403 is returned to the browser straight-away (even though the LoginModule is specified in jboss-web.xml).
What should I use in the auth-method element to prevent the browser prompting for user credentials but simply pass straight through to my LoginModule? I've read a bit about valves - is there a "null" one that I need to deploy to get tomcat to simply pass-on to the LoginModule?
I had to write my own Tomcat Authenticator valve (extended AuthenticatorBase) and could then set the auth-method to either CLIENT_CERT or SECURITY-DOMAIN.
This took a long time to figure out on my own given the variety of versions of the documentation - I hope posting the answer here saves someone else a lot of time.