This is my understanding :
the LoginModules are JAAS login modules, and you must use the mechanims specified by JAAS ( see http://java.sun.com/products/jaas/ )
You don't have direct access to your HttpRequest, or to anything else for that matter, in your login module. You need to define callback handler; simple login modules just use the org.jboss.security.auth.callback.UsernamePasswordHandler to read a username & password.
I'm having similar problems trying to understand how JAAS and the servlet spec fit together. When I looked at the SUN code for some LoginModules I noticed that some shared data is being accessed to bypass the callback mechanism since the login/password form has already been displayed filled out and posted. So some how the login/pass tunnels down throught the app server into login modules using shared data (yet not in the HttpRequest/Session). The J2EE, JAAS and servlet specifications do not tie this together hence it is left to the vendor. SUN needs to provide a connection point between these specs where a HttpLoginModule interface is provided to bridge together the world of the servlet container, the app server and J2EE security.
I'm sure several developers have gotten around this problem in many ways without having to understand the plumbing within their specific application server. We just need one to read these messages.
Q: Does the application/servlet container implementation calls the LoginConext.login interface automatically or is it the responsibility of the app? And if so how would it pass on the required parameters especially if it does not know which http request params correspond to username and password?
I think the application must do this through the LoginContext yet how this ties into a realm implementation in say catalina or jboss I don't know. Perhaps a realm interface specific to catalina or jboss is provided on top of the LoginContext to handle this. Anyway this situation would still not explain how username and password parameters are passed down to through the login() interface of the login module. Some peice of code must be instantiating the Subject, and instatiating the LoginContext with that subject and somehow putting the rwequired parameters for authentication into the LoginModules shared state.
Any clarification here would be extremely useful!
Ok take a look at what Craig McCallahan - Tomcat/Struts lead did with his JAAS Realm implementation for Tomcat 4.1
Once again my understanding : there is absolutely no connection in the specs between servlets and JAAS. It is all hand-woven. In the case of JBoss they provide a mechanism you can use, which is of course proprietary (even it is based on JAAS).
But you can also "do it yourself"; you have a form where username and password fields are named whatever. In your servlet you read out these parameters; then you make a call to a protected ejb in jboss. If the call fails on a security exception, then the login fails. Otherwise it is successful.
So whenever you're talking about a framework for login mechanism, from jboss, struts or whatever it's always custom code (which you could write yourself)