all you need is to take a look at jsr-196. Glassfish 3 (and probably 2) implements this standard. You need to implement:
javax.security.auth.message.module.ServerAuthModule;
this in glassfish is called message security provider (specifically for Http servlet layer)
and handle all of HTTP requests (in ServerAuthModule) to:
- (step1) authenticate using provided username/password retrieved from client(i.e. from POST) and create Principal
- (step2) during the subsequent requests you should tell the container about Principal created in step 1 (which you should retrieve i.e. from session, or you can always behave like in step 2, this is what basically FORM does)
On the network you can find the example for implementing the FORM authentication method which does not implement step 2 (step 2 is hard to write because of not very friendly documentation for jsr196). I have implemented such module for flash / flax and glassfish 3 and plan to release this open source, but does not have enough time to make the project ready (in terms of description, documentation etc.). Flex / flash (in browser) has very ugly http handling as you already know, and by using jsr196 you can customize the responses send by container / your module to the client. In my application the module returns xml with error description instead of http 401 which can be read by low level flash / AS3 functions whether it is AS3 in browser or standalone AIR.
Feel free if you need more info.
[Message sent by forum member 'jszczepankiewicz' (jarrman_at_poczta.onet.pl)]
http://forums.java.net/jive/thread.jspa?messageID=385505