You dont _have_ to implement AbstractServerLoginModule, but that's the best and easiest way to do it if you want your LoginModule to work with the JassSecurityManager that comes with JBoss.
I have just implemented a custom LoginModule for JBoss 2.4.3 and it works quite well. All I had to do was to implement the standard javax.security.auth.spi.LoginModule interface, and registered the "NewLoginModule" class into the auth.conf file.
It was quite easy to implement the authentication, but I had some problems with authorization: I could not find out how to deal with roles/groups util I reverse-engineered the other login modules that come with JBoss.
Would you like to take a peek?
I would like to see how the user/groups piece is implemented, thanks!
One way to simplify implementation of the AbstractLoginModule is to extend UsernamePasswordLoginModule instead. This reduces the methods needed to implement to authenticate the user and setup roles.
The methods needed are:
The validatePassord() does all the work. Hope this helps.
It doesn't work so well in 3.0.6: You're supposed to use login-config.xml instead of auth.conf but it doesn't appear to work that way. I wonder if I should try auth.conf.