How can I implement Picketlink Authenticator in the war layer

Question

As the title say, I created a class in the war layer that is annotated with @Picketlink. Note that I have an ear deployment structure (ejb, war).

The custom authenticator:

@PicketLink
public class PicketlinkAuthenticator extends BaseAuthenticator { }

If I put that class in the ejb layer, the authentication is ok but when I put it to the war layer it seems like it's not found by the project as it's throwing:

20:49:46,027 INFO  [org.picketlink.common] (default task-10) Using logger implementation: org.picketlink.common.DefaultPicketLinkLogger
20:49:46,043 INFO  [org.picketlink.idm] (default task-10) PLIDM001000: Bootstrapping PicketLink Identity Manager
20:49:46,068 WARN  [org.picketlink.idm] (default task-10) PLIDM001101: Working directory [\tmp\pl-idm] is marked to be always created. All your existing data will be lost.
20:49:46,111 INFO  [org.picketlink.idm] (default task-10) PLIDM001100: Using working directory [\tmp\pl-idm].
20:49:46,127 DEBUG [org.picketlink.idm] (default task-10) No partitions to load from \tmp\pl-idm\pl-idm-partitions.db
20:49:46,152 DEBUG [org.picketlink.idm] (default task-10) Initializing Partition [6a373282-0173-4b7d-bd6a-ff0e5dc43436] with id [6a373282-0173-4b7d-bd6a-ff0e5dc43436].
20:49:46,153 DEBUG [org.picketlink.idm] (default task-10) Loaded Agents for Partition [6a373282-0173-4b7d-bd6a-ff0e5dc43436].
20:49:46,154 DEBUG [org.picketlink.idm] (default task-10) Loaded Credentials for Partition [6a373282-0173-4b7d-bd6a-ff0e5dc43436].

Why not just move the authenticator to the ejb side? ->Because I'm throwing custom error like user expired, etc. I need jsf to post these error messages.

Why not move the picketlink dependency in the web layer? ->Because my account that extended the picketlink account is binded to my services.

As suggested here I already added the picketlink module in the war project: https://docs.jboss.org/author/display/PLINK/JBoss+Modules

<jboss-deployment-structure>
  <ear-subdeployments-isolated>false</ear-subdeployments-isolated>
  <sub-deployment name="THE-WAR-MODULE-THAT-REQUIRES-PICKETLINK.war">
    <dependencies>
      <module name="org.picketlink" />
    </dependencies>
  </sub-deployment>
</jboss-deployment-structure>

Anyway around this? I just want to show some custom errors :-(

Answer 1

I was not able to solve this problem but I have a work-around solution and that is to move the picketlink module to the web layer and just pass the identity instance to the services that need it.

Answer 2

I have been missing around with the same problem as well for a while now (it's 2016 now ...). What seems to make it work is to add the following CDI annotations:

@PicketLink
@Name
@RequestScoped
public class PicketlinkAuthenticator extends BaseAuthenticator { }

I would have expected the core Authentication Manager to pick this up just based on the @PicketLink Annotation, but without the CDI Annotations, the custom Authenticator class is never even loaded. Maybe there is an other way that will require us to bootstrap PicketLink - but I could not find any references.