Hi.

I'll try and be as concise as possible, but I'm so confused that what follows may be somewhat unintelligible...

I have a custom login module which uses a username and password to access an http authorization server. This auth server returns a String ticket indicating the user is authorized, and I can then use that ticket to get various other info about the user. If I use the standard JAAS login stuff (passing around username and password through the various callback mechanisms) everything works OK, except that I have no way within my login module to know whether the username/password combo has previously been authenticated, so I have to go the the auth server every time. Obviously not good. I could use some caching mechanism but I'd rather avoid this as it could cause problems unless I could clear it somehow when the users session is cleared.

Preferably, I'd like to pass around this "ticket" info as well as the username and password. If a user has a ticket, then she is authorized and I can skip the http call. The problem is how to do this. I've tried writing a custom callback handler and callback which handles this extra text, and I've also tried using the SecurityAssociationCallback using a custom principal. These all fail because of some assumptions made in the JAASSecurityManager - it always uses SecurityAssociationCallback and it always assumes that the principal is a SimplePrincipal.

Is there any way around this? I'm trying to go through all this JAAS (pardon my french) crap because I thought I would be able to "write once" and "run anywhere, or at least on any JAAS compliant server" but if I have to write custom code for every J2EE server I use what's the point? (not to mention the fact that I probably won't be able to do anything even similar on non-open source servers like Weblogic or WebSphere...)

Thanks in advance.

pete.