The login module needs to request the information required for authentication using a custom callback handler. Then you need to install a custom javax.security.auth.callback.CallbackHandler that can provide the current request header info based on a Valve and thread local. A custom CallbackHandler can be installed using the CallbackHandlerClassName attribute of the org.jboss.security.plugins.JaasSecurityManagerService.
The existing IPAddressValve should really just be generalized to save the current HttpServletRequest. The custom CallbackHandler should be in the org.jboss.web.tomcat.security package and it should extend the default org.jboss.security.auth.callback.SecurityAssociationHandler and delegate to it any Callback it does not understand.
There needs to be a unit test added to the testsuite. Look at how the JACC unit tests run on a custom configuration of jboss to see how the tests need to be setup to use the customized JaasSecurityManagerService configuration.
I think I have the complete picture, I'll start coding tonight.
Just one question: Why not add this new CallbackHandler to the SecurityAssociationHandler?
There is no explicit dependency on the servlet container or servlet api in the security module and none should be added to avoid propagation of an existing problem of cross module dependencies.
There is an implicit dependency due to the JACC service's dependency on the JACC permission classes, and this service should in fact be moved out of the security module to clean this up.
I commited some code to resolve JBAS-1468 in the 4.0 branch. I'll commit it to the HEAD branch later.
I'm working on the unit test right now. If somebody wants to help, you are welcome.
Can you please provide any more hints on how to use this LoginModule?
For example, what configuration do I need to do to login-conf.xml?
What methods do I need to override to get the username and password that were passed from my j_security_check form submission?
Can I override the login() method to do custom things?
Thanks and Regards,