I need your help to provide multiple authentication mechanisms for a single web application which has been developed on JBoss AS 4.2.3, Seam 2.1.1.
What we want to do is (at the same time):
- allow client certificate authentication (the username is extracted from a certificate coming from a smart card) and matched against a custom database containing user's password and roles ). Such authenthication should be provided via a dedicated login page (e.g. crslogin.seam)
- allow an alternative form based authentication via another login page (e.g. standardlogin.seam)
At the moment we have succesfully enabled SSL and made mutual authentication work (client certificate is matched against the root certificate on the server), but we are a little bit confused on how JAAS should be configured.
The question is:
- is it possible to provide two different authentication mechanism for the same web application?
- how should be configured the <security-constraint> section in the web.xml file to select the certificate authentication for the crslogin.seam and the form based authentication for standardlogin.seam?
Any ideas? Thanks, Augusto.