You'll have to describe the behavior of the Identity Assertor in more detail, but its likely going to require a custom valve or authenticator.
This is how the identity assertor provider works.
Identity assertion involves establishing a client?s identity using client-supplied tokens that may exist outside of the request. Thus, the function of an Identity Assertion provider is to validate and map a token to a username. Once this mapping is complete, an Authentication provider?s
LoginModule can be used to convert the username to principals.
Identity Assertion providers allow WebLogic Server to establish trust by validating a user. An Identity Assertion provider is a specific form of Authentication provider that allows users or system processes to assert their identity using tokens (in other words, perimeter authentication).
You can use an Identity Assertion provider in place of an Authentication provider if you create a LoginModule for the Identity Assertion provider, or in addition to an Authentication provider if you want to use the Authentication provider?s LoginModule. Identity Assertion providers enable
perimeter authentication and support single sign-on.
So basically it picks up a token set by an external system and does perimeter authentication. I was wondering if there was anything similiar to that, in JBoss??
No, but it can be implemented using either a tomcat valve.
When the valve is used, does it call the LoginModule with the data it has received or does the valve place the data somewhere for the LoginModule to pick up and use?
Allow me to pose the question differently. How does the valve comminucate with the LoginContext? From reading the manual, it seems that the valve would create a CallbackHandler from the authentication token. Then it would instatiate a LoginContext and send the CallbackHandler to the LoginContext object. It then exits the valve and does it's work at the server. Is this correct? Is another valve need to logout after the work at the server is finished?
It could, but more likely the valve just passes the info into a similar authenticator in terms of the identity and proof of identity to trigger the login module through the Realm associated with the web container. You should look at the existing standard web authentication valves to understand how things tie together. Start with the org.apache.catalina.authenticator.BasicAuthenticator for the BASIC authentication mechanism.