Josef Cacek wrote:
I think the ServerAuthModule implementations in the org.jboss.as.web.security.jaspi.modules package are ready for use (handle the HTTP BASIC, FORM and CLIENT-CERT authentication).
Do you mean by that that in an upcomming version of JBoss AS, those will indeed become the default and thus explicitly configuring org.jboss.as.web.security.jaspi.WebJASPIAuthenticator won't be needed anymore?
In the version shipping with 7.1.1 there are some rather severe bugs btw, like a NPE if a Subject has no roles (a fix is already committed:
https://github.com/sguilhen/jboss-as/commit/78bc38740a3d35367fb3338cfc5d535677503063).