Hi guys, I think jaspic's support of configuration mechanism pluggability has had the unfortunate consequence (from the perspective of developers who use different products) of allowing vendors to focus on integrating authentication mechanism configuration in their proprietary configuration consoles and systems. We need to also cooperate ro make sure that developers and system admins have access to and are able to integrate and use a portable vendor independent authentication mechanism configuration system. One such system is included in the Glassfish open source project (search JAASServletAuthConfigProvider.java). It should be possible for this AuthConfigProvider to be registered in any Servlet Container Profile of JASPIC compatible servlet container, whcih will then allow the developer/security admin to configure authentication modules using JAAS config-file syntax. To make things really simple, the AuthConfigProvider can be registered via a ServletContainerInitializer, or via the persistent configuration of the vendor supplied AuthConfigFactory. Since the Factory is also pluggable via the spi, it should alos be possible to replace a vendor provided AuthConfigFactory with a portable AuthConfigFactory. One such factory, AuthConfigFileFactory.java may be found in Glassfish. Use of a common factory, would then allow simple common persistent configuration of the JAASServletAuthConfigProvider, and of any other AuthConfigProviders that should be available in the vendor environment.
If you are interested in the use of JASPIC within Servlet, you should consider tracking or participating in the open source project Nobis (i.e the RI of JSR 351) where we are working to facilitate portable authentication mechanims pluggability in the context of a standard AttributeService and representation of Identity Atrributes. We have already begun the process of creating some portable ServerAuthModuels (Facebook Connect, and SAML Web SSO) and are working to failitate portable configuration (as described above) see http://java.net/projects/nobis/pages/Home and http://java.net/projects/nobis/sources/git/show/Nobis/authentication.
Ron
ps: we are reviewing the portability and packaging of the glassfish systems mentioned above as part of the Nobis project. If you see any problems please feel free to create an issue in the Nobis issue tracker.