Valves can be configured in AS7/EAP6 in an application's jboss-web.xml file by adding the following to the <jboss-web> element where "org.jboss.security.negotiation.NegotiationAuthenticator" can be replaced with the desired Valve.
<valve> <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name> </valve>
Another example using a custom authenticator valve:
<valve> <class-name>org.jboss.web.tomcat.security.GenericHeaderAuthenticator</class-name> <param> <param-name>httpHeaderForSSOAuth</param-name> <param-value>sm_ssoid,ct-remote-user,HTTP_OBLIX_UID</param-value> </param> <param> <param-name>sessionCookieForSSOAuth</param-name> <param-value>SMSESSION,CTSESSION,ObSSOCookie</param-value> </param> </valve>
Note that here we added additional configuration using the <param> element, which is similar to the <attribute> element used in previous versions when configuring valves using context.xml file.
Writing Custom Authenticators
Custom authenticators can be written by either implementing the Authenticator Interface  or extending already implemented Authenticators . An example of the later is detailed by Anil Saldhana in his community post . However, due to changes in jboss-web, in AS7/EAP6 the authenticate() method's signature has changed [2,5]. This is important to note when porting the code at  or any old custom authenticators to AS7/EAP6.
The required signature for the authenticate() method is:
public boolean authenticate(Request request, HttpServletResponse response) throws IOException, ServletException;
The modified version of an extended custom authenticator valve from  is provided in the attachment GenericHeaderAuthenticator.java.zip, which extends the ExtendedFormAuthenticator class.
An example of using this custom authenticator is provided here. We base this example on the AS7/EAP6 quick-start "servlet-security". The source code is provided in the attached file servlet-security-custom.zip and the war is attached as jboss-as-servlet-security.war. The changes that were made are as follows:
- Modified dependencies in pom.xml
- Added org.jboss.web.tomcat.security.GenericHeaderAuthenticator
- Modified WEB-INF/jboss-web.xml
- Added <form-login-config> to WEB-INF/web.xml as we are are using a form based authentication here
- Added login.html, error.html for form based authentication
To deploy this webapp,
- Add a new Application User with 'guest' role
- Package and deploy the war
- You can log on at http://localhost:8080/jboss-as-servlet-security
Important Note: This is just a quick example of how to use a custom authenticator valve. This is not production code.
If you are writing your own authenticator valves, [2,3] can be very useful references.