Ok, I found the answer. So here it is:

Basically what I was trying to achieve was to implement an openid-based authentication mechanism in glassfish. One way of doing that is to use ProgrammaticLogin but this has a few drawbacks – no easy way of redirecting back to requested URL and programmatic auth means more work for the programmer. So after reading around I found the better way to achieve my goal – Server Authentication Modules or SAMs. This is part of a standard process described in JSR-196 and provides a way for creating pluggable auth modules for glassfish (ie. different than the standard FORM, BASIC etc.). This method allows you to plug new auth modules in the servlet container while keeping your declarative security model.

So all I need to do is write my own custom SAM. Here’s a quick how-to:

1. Implement the ServerAuthModule interface which mostly boils down to the following method:

   AuthStatus validateRequest(MessageInfo messageInfo, security.auth.Subject
clientSubject, security.auth.Subject serviceSubject) throws AuthException

2. Package your SAM in a jar, and place your jar in the glassfish lib directory.

3. Configure the SAM for use with your application. This is done in 2 steps:

   • Define your SAM as a message-security-provider in domain.xml.
   • Bind the SAM for use with your application. You can do this by defining the httpservlet-security-provider attribute in the sun-web-app.xml of your app. Set the value of the attribute to the name you assigned to your SAM in step 1.

For more info read this great tutorial by Ron Monzillo.

UPDATE: There is a simpler and more elegant solution to this problem called AuthenticRoast. This is a Java library written by Aike Sommer which allows you to write your own pluggable authenticators.