I have a CustomLogin Module on my server-side JBoss EAP 6.2.0 SecurityDomain. This Custom LoginModule requires three CallbackHandlers: NameCallback (Java Standard), PasswordCallback (Java Standard) and an additional OtpCallback (implemented by myself, for a one time password).
I now want to login to this module via a JSF 2.1 web application. I know that this is usually possible with FORM login, BASIC login, or login via HttpServletRequest#login. But all of them don't let me specify username, password and otp-value. They only allow for username and password.
Therefore I'm seeking for a way to authenticate like with the HttpServletRequestMethod while being able to supply the three credentials.
Thank you very much in appreciation of your help!
N.B.:
I've already tried to use
LoginContext lc = new LoginContext("MyOtpSecurityDomain", new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for( Callback callback : callbacks ) {
if( callback instanceof NameCallback ){
NameCallback nc = (NameCallback) callback;
nc.setName(username);
} else if ( callback instanceof PasswordCallback ) {
PasswordCallback pc = (PasswordCallback) callback;
pc.setPassword(password.toCharArray());
} else if ( callback instanceof OtpCallback ) {
OtpCallback oc = (OtpCallback) callback;
oc.setOtp(otp);
}
}
}
});
lc.login();
This even calls my server-side custom Login Module, but somehow the login is not propagated to the webapp and the EJBs.