I'm trying to implement OpenID authentication in a simple JSP app.
The FORM-based authentication really drives me nuts, since there is no way to listen for pre, post-authenticate events.
When I receive user information from OpenID-provider I want to suggest them to fill out simple registration form (i.e. edit details received from identity provider, and optionally add some additional information). But if I use standard "j_security_check" action, those details are lost. If I try to log in user programmatically (i.e. using HttpServletRequest#login(user, password) I can't redirect the user to the originally requested URL (since only FormAuthenticator keeps this information).
Is there a way to manually control authentication mechanism, using some pre-configured JDBC realm? That is, I don't want to specify <login-config /> in my web.xml, but when calling HttpServletRequest#login I want to authenticate against JDBC realm. Is this possible?
no, that is basically not possible with what GlassFish offers ootb. You need to dig deeper. You would end up using a custom JAAS LoginModule and the JSR-196 Login Bridge. Some more pointers: