Short version: In pure Java EE 6, is there something like Spring’s Authentication Processing Filter, which customizes form-based authentication?

Long version: I’m working on a pure Java EE 6 web application (JSF2, CDI), which must be independent of the concrete Java EE 6 container used later.

JSF2 pages with restricted access are stored in a sub-folder /pages. In my web.xml, I defined the following to restrict access to those pages:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>??????????</realm-name>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/access_denied.jsf</form-error-page>
    </form-login-config>
</login-config>

<security-constraint>
    <display-name>pages_auth</display-name>
    <web-resource-collection>
        <web-resource-name>pages</web-resource-name>
        <url-pattern>/pages/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthenticatedUser</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>AuthenticatedUser</role-name>
</security-role>

As indicated by the “????” in the code above, I can’t use one of the pre-defined realms like JDBC, because the autentication to use is very custom (nasty detail: credentials are checked against an ugly legacy system) and requires some Java coding.

I expected that I could create a new class implementing some interface overriding some authenticate method with the parameters “login” and “password” returning a boolean to denote a successful authentication.

However, after reading several hours on the topic, I’m totally lost 🙁 Do I need to implement a JAAS LoginModule and Realm? This looks very complicated to me. Or is there another standard Java EE 6 way to do it? Or do I need to go the way of implementing a ServletFilter instead?