Harbor security is normally done from the harbor_users.xml
file.
Sometimes however a developer may want to create a specialized
Authentication Module (AM), anything from accessing a database,
or LDAP through to reading a spreadsheet, or perhaps even
calling another remote Harbor server, which behaves as a
authentication server.
There are standard techniques however often one
may wish to customize it. The nice thing is that Harbors default
security files can go out with the WAR, and that's nice when one
wants to make demo's work out of the box, but then your customer
might want more, for example they may want Harbor to work
against their windows LDAP server (Active Directory).
Then you will use the user hook... and this does
NOT go in the repository, its goes in the WEB-INF folder under
classes or lib.
Servlet developers will immediately recognize that its normal
servlet development, although standalone development of your AM
is just as easy.
The system calls auditCredentials
when a user needs to be authenticated.
and it calls getUserRoles
when the user roles are needed.
No matter what
mechanism you use... make sure its fast.