Can j_security_check authentication be followed by another web authentication mechanism?

Question

In my web app, I am using form-based login. I have a scenario where I have to validate the users present in a different database in addition to the data of the table set in login-config.xml.

So,I was thinking of this flow:

User tries to access a secured resource -> if No active session,will be redirected to login form -> User enters his credentials -> j_security_check authenticates as per login-config.xml -> if authentication succeeds, well and good, else redirect to a jsp error page, where I check if the user is present in the other DB(Active directory to be specific.I already have the code to validate the credentials) and create a session on success -> else redirect to error page

Is the part highlighted above in bold possible at all??

I have read in some articles that once the authentication is given to j_security_check, there is no way to over rule it. Is it true???

Is there any other possible solution for this problem (apart from adding the users from other db to the table specified in the login-config.xml or modifying the login-config.xml)??

(I am using Jboss)

Thanks.

Answer 1

Create Servlet Filter that would catch URL to which user is redirected after j_security_check. In this filter check user credentials in the other database.

If the check is succesful add to session boolean value that would reflect that fact. If the check fails remove session (HttpSession.invalidate() method) and redirect user to the error page.

Probably the filter would catch all URL-s that need authorization. In you filter check if there is boolean flag, so you don't do the database check again and again.