Greetings.
I am trying to figure out how to a non-form based custom authentication
to my WebApp and I'd very much prefer to keep as much of the security
details out of the WebApp as possible. I will be using GlassFish/Payara
for this. I've done a bunch of research and I'm stuck on how JSR196
relates to the Java EE server realms. I've read some blogs online
about creating new realms for GlassFish, however, they still required
the web.xml to be configured with a FORM based login configuration.
What I want to do is custom for my company and does not fit into
DIGEST, BASIC, FORM, CLIENT CERTIFICATE. Reading the GlassFish
Application Development guide, there is a section on "Adding
Authentication Mechanisms to the Servlet Container" and it implies
JSR196 can be used to create something new like OPENID in addition to
the EE standard DIGEST, BASIC, etc. But I'm way confused on how JSR196
and Realms fit together, or if they even do at all. What I would like
to do is create a new authentication mechanism using JSR196 which I'd
use to basically get the user's ID from the HttpServletRequest, but
then I'd like to pass this ID to a custom realm for final
authentication and access. Is this possible? Is this the way things
work, or if you create something new with JSR196 do you not use realms?