I have a LoginHandler which is being called by JBoss to authenticate the login form.
The problem is, that it needs more information from the form than just the j_username and j_password.
It also needs a "company name" parameter too.
Also, it realy needs some parameters from the originally requested URL which specify some back end server details to enable the connection and login to take place. The connection to the server is cached in the HttpSession.
I can't see how to do this. An unlogged in request is intercepted before any declared Filters, and JBoss's CallbackHandler only accepts UsenameCallback, and PasswordCallback.
Before, when I used a Filter to control access, I set up my own CallbackHandler to pass into the LoginContext which accepted new subclasses of Callback so it provided access to the HttpSession (and therefore all attributes in it), so the LoginModule could do anything.
With container-managed authentication, all you get is the username and password. How can this be adequate in 100% of cases?! It's just not good enough!
Well, after much searching, I randomly stumbled across the correct incantation to be able to log out using session.invalidate():
So now, I can log out when they click the logout link.
Next up, how to programatically determine whether a URL is available to the current user.
I'm of course using container-managed authorization, but it's no good outputting a link only to have the user click on it, and be tipped into the error page by JBoss. I want to have a custom tag for links which does not output any HTML if the URL is not accessible to the current user.
[size=9]No doubt, I'll find the incantation at some random site given enough searching...[/size