Fortunately, LoginModule uses a standard JAAS API and as such is well documented in many books and on the Internet. Here, we will write the simplest LoginModule that solves our problem of validating the principals over a legacy external SSO system using the HTTP protocol. As a didactical support, we will also write in the log when the Security Services container will call our method so that we can figure out when and how many times they are called.

Keep in mind that LoginModule is a stateful Bean; it must retain configuration data when it is initialized, and from the login callback state to the commit state (or abort or whatever) it must keep the state to answer in a correct and expected way.

Let's start with the definition; ...