Using Custom JAAS LoginModule(s) for Authentication in GlassFish
Many users often ask the question : Can i use a custom JAAS Login Module instead of the Proprietary GlassFish Custom Realms for user authentication ?.
The JSR-196 Login Bridge Profile allows a Server Authentication Module (SAM) to delegate some security processing to JAAS LoginModules. My team member sudarsan has created a nice blog-post on this with a sample netbeans project showing the use of the Login Bridge Profile. The sample can be plugged in as a ServerAuthentication Module for a webapplication on both GlassFish V2.X and V3.
GlassFish includes implementations of a number of HTTP layer authentication mechanisms such as Basic, Form, and Digest authentication. JSR-196 support in GlassFish allows developers to implement and configure new authentication mechanisms or make alternative implementations of the provided ones. The following tech-tip provides all the details for doing this.
So to answer the question at the top, if you have a SAM that implements an Authentication Mechanism (say BASIC), then you can use the Login Bridge Profile to configure a JAAS LoginModule in GlassFish that will be invoked by the SAM. The JAAS Login Module can then perform custom username-password authentication and communicate the resulting Principal and Group information to GlassFish by making use of standard JSR-196 defined callbacks (which are supported by the GlassFish CallbackHandler supplied to the SAM as an argument).
The important thing to note is that the LoginModule and the CallbackHandler (if any that the LoginModule uses) need not have any proprietary Glassfish Code. In other words the JAAS LoginModule is suitable for use with other containers as well. And if the Non-Glassfish Container supports JSR-196 then the developer essentially is freed from the task of figuring out how to set the Principal and Group information into the target Container, the JSR-196 CallbackHandler supplied by the Container would handle it for the user.
This is in contrast to the Realm which is a proprietary GlassFish artifact. Though the Realm in GlassFish essentially makes use of a corresponding LoginModule to do its authentication, it requires use of Glassfish specific code to ensure it communicates the Principal and Group membership information to the container in the right manner.