I am failing to create custom login modules because I don't understand how the tomcat servlet container works. I have a web.xml with security-constraints, auth-constraints, url-patterns, etc. When I specify org.jboss.security.auth.spi.UsersRolesLoginModule in my jaas.conf, login works as expected. When I specify my bare bones custom login module, authentication does not succeed. Here is an example:
@Override
public boolean commit() {
subject.getPrincipals().add(new CustomPrincipal("admin"));
subject.getPrincipals().add(new CustomPrincipal("users"));
return true;
}
@Override
public boolean login() throws LoginException {
return true;
}
These methods are called, but login fails. How does the servlet container know if authentication succeeds? I thought it would check to make sure commit returns true and any principal exists. I added "users" because that is the auth-constraint specified in web.xml protecting the resources.