One simple solution is to simply concatenate the password and SSN and have a custom login module validate the combined password by validating the pieces.
but what if i had a drop down on the login page where the user could choose the system they were logging into....i need access to the HttpServletRequest Object to be really flexible and to invoke the login method on the LoginContext manually from a Servlet. I tried that and although it says I am authenticated, jboss challenges me when i try to access a protected resource. That would give me full control over the Authentication process.
The current model of authentication is not flexible enough. Can anyone come up with an example of why one should not be allowed to manually authenticate via the login method from a Servlet? Wouldn't that be the same as a client app invoking a login? It seems to me it should be.
Nothing prevents you from doing a JAAS login from within your servlet code. See org.jboss.test.web.servlets.ClientLoginServlet for an example.
i tried a variation of that and it does not work.
I have a login form call a LoginServlet that does the login process. I see the "[Default] User 'java' authenticated." come up in the command window and do a sendRedirect( "index.html" ) which i have secured in my web.xml file. I then get prompt to login again!
If I change the login form to not use my LoginServlet and submit to 'j_security_check', it works. Same LoginModule mind you.
So why doesn't the server recognize that I have been authenticated?