I have a three-part question:
1) Is there a way to propogate an identity other than the username that was specified during login? For example, using the DatabaseServerLoginModule, I want to authenticate the user with a username/password but return the user's id, and not username, when ejbContext.getCallerPrincipal() or httpRequest.getUserPrincipal() is called.
2) Even better, I want to make a custom login module which returns a User object (probably an entity which was loaded from the database). However, even if I wrap that User object up nicely in a Principal subclass in my login module, the EJB-layer never gets that object. Instead, the EJB-layer always gets a SimplePrincipal when getCallerPrincipal is called.
3) I want to be able to trigger a login programmatically, as described in WebAuthentication. However, I need to do this without knowing the password. Imagine a customer service interface where a customer service agent can login to the application as an end-user. They would click a "login-as" button and we should be able to programmatically log them in as a user, without ever knowing the user's password (the customer service agent is already authenticated himself). You could also have this same scenario with "forgot password" which uses an alternate login mechanism to authenticate the user and then programatically logs them in.