Satish Kinikiri [http://community.jboss.org/people/satish.kinikiri] created the discussion "Evading Authentication" To view the discussion, visit: http://community.jboss.org/message/645578#645578 -------------------------------------------------------------- Hi I am trying to introduce single-sign-on (SSO) for our application. Currently our application has a custom login module. I want to retain it the same authenication process when user is logging in directly with username/password (through non-SSO). And want to add authenication system to when the user tried to login into my app using application through some API. (Through SSO user name is availalble but not password I will make use of the username to create roles) Current authenication process : LoginClient loginClient = new LoginClient(loginName, loginPassword, true /* server login */); AppIQUserData user = loginClient.login(); ...... ...... and Login client is public LoginClient(String username, String password, boolean serverLogin)         throws LoginException     {         this(new UsernamePasswordHandler(username, password), serverLogin);     } public LoginClient (CallbackHandler handler, boolean serverLogin) throws LoginException     {         this(handler, serverLogin ? SecurityConstants.SECURITY_DOMAIN : SecurityConstants.CLIENT_DOMAIN, serverLogin);     }     public LoginClient (CallbackHandler handler, String securityDomain, boolean serverLogin) throws LoginException     {         log.trace2("login security domain: " + securityDomain);         this.serverLogin = serverLogin;         context = new LoginContext(securityDomain, handler);     } /**      * Perform a login to the AppIQ system.      * @return The AppIQUserData that has been authenticated      * @throws LoginException if the login fails      */     public synchronized AppIQUserData login() throws LoginException     {         log.trace2("login - " + (serverLogin ? "SERVER" : "CLIENT"));         context.login();         if (!serverLogin)             return null;         Subject subject = context.getSubject();         if (subject == null)             throw new LoginException(LocalizationUtilities.localize("Exceptions", "LoginFailedNoSubject"));         log.trace2("login SERVER returns subject: " + subject.toString());         AppIQUserData user = SecurityMethods.getCallerPrincipal(subject);         if (user == null)             throw new LoginException(LocalizationUtilities.localize("Exceptions", "UnableToExtractAppIQUserData"));         /* Stash the context in a cache so that we can re-authenticate when we                      * need to in order to force updates to login credentials when                      * necessary.                      */                     SecurityMethods.add(context);         return user;     } Any idea how we can have the option of avoiding authenication when we are using UsernamePasswordHandler. Thanks mailto:Satish.kinikiri@gmail.com Satish.kinikiri(a)gmail.com -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/645578#645578] Start a new discussion in Beginner's Corner at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&...]