see comments

api/src/main/java/org/picketlink/authentication/web/AuthenticationFilter.java

@@ -47,6 +47,9 @@ public class AuthenticationFilter implements Filter {
 
     public static final String REALM_NAME_INIT_PARAM = "realmName";
     public static final String AUTH_TYPE_INIT_PARAM = "authType";
+    public static final String FORM_LOGIN_PAGE_INIT_PARAM = "form-login-page";
+    public static final String FORM_ERROR_PAGE_INIT_PARAM = "form-error-page";
+
     public static final String UNPROTECTED_METHODS_INIT_PARAM = "unprotectedMethods";
 
     @Inject
@@ -60,7 +63,7 @@ public class AuthenticationFilter implements Filter {
     private Set<String> unprotectedMethods = new HashSet<String>();
 
     public enum AuthType {
-        BASIC, DIGEST
+        BASIC, DIGEST, FORM
     }
 
     private AuthType authType = AuthType.BASIC;
@@ -76,8 +79,12 @@ public void init(FilterConfig config) throws ServletException {
 
         setAuthType(config.getInitParameter(AUTH_TYPE_INIT_PARAM));
 
+        String formLoginPage = config.getInitParameter(FORM_LOGIN_PAGE_INIT_PARAM);
+        String formErrorPage = config.getInitParameter(FORM_ERROR_PAGE_INIT_PARAM);
+
         this.authenticationSchemes.put(AuthType.DIGEST, new DigestAuthenticationScheme(this.realm));
         this.authenticationSchemes.put(AuthType.BASIC, new BasicAuthenticationScheme(this.realm));
+        this.authenticationSchemes.put(AuthType.FORM, new FormAuthenticationScheme(this.realm, formLoginPage, formErrorPage));
 
         String unprotectedMethodsInitParam = config.getInitParameter(UNPROTECTED_METHODS_INIT_PARAM);
 
@@ -132,6 +139,10 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 
                 if (creds.getCredential() != null) {
                     identity.login();
+                    if(authType.equals(AuthType.FORM)){
+                        authenticationScheme.postAuthentication(request,response);
+                        return;
+                    }
                 }
             }
 
@@ -158,12 +169,12 @@ private void setAuthType(String value) {
         try {
             this.authType = AuthType.valueOf(value);
         } catch (IllegalArgumentException e) {
-            throw new IllegalArgumentException("Unsupported authentication type. Possible values are: BASIC and DIGEST.", e);
+            throw new IllegalArgumentException("Unsupported authentication type. Possible values are: BASIC, FORM and DIGEST.", e);
         }
     }
 
     private boolean isProtected(HttpServletRequest request) {
         return !this.unprotectedMethods.contains(request.getMethod().toUpperCase());
     }
 
-}
+}

api/src/main/java/org/picketlink/authentication/web/BasicAuthenticationScheme.java

@@ -65,6 +65,10 @@ public void challengeClient(HttpServletRequest request, HttpServletResponse resp
         response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
     }
 
+    @Override
+    public void postAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    }
+
     private boolean isBasicAuthentication(HttpServletRequest request) {
         return getAuthorizationHeader(request) != null && getAuthorizationHeader(request).startsWith("Basic ");
     }

api/src/main/java/org/picketlink/authentication/web/DigestAuthenticationScheme.java

@@ -88,6 +88,10 @@ public void challengeClient(HttpServletRequest request, HttpServletResponse resp
         response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
     }
 
+    @Override
+    public void postAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    }
+
     private String[] extractTokens(HttpServletRequest request) {
         String authorizationHeader = getAuthorizationHeader(request).substring(7).trim();
 
@@ -104,4 +108,4 @@ private boolean isDigestAuthentication(HttpServletRequest request) {
 
         return authorizationHeader != null && authorizationHeader.startsWith("Digest ");
     }
-}
+}

api/src/main/java/org/picketlink/authentication/web/FormAuthenticationScheme.java

@@ -0,0 +1,118 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.picketlink.authentication.web;
+
+import org.picketlink.authentication.web.support.RequestCache;
+import org.picketlink.authentication.web.support.SavedRequest;
+import org.picketlink.credential.DefaultLoginCredentials;
+
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+
+/**
+ * An implementation of {@link HTTPAuthenticationScheme} that supports the Servlet Specification
+ * FORM Authentication Scheme
+ * @author Anil Saldhana
+ * @since June 06, 2013
+ */
+public class FormAuthenticationScheme implements HTTPAuthenticationScheme{
+    private RequestCache requestCache = new RequestCache();
+
+    private final String realm;
+    private final String formLoginPage;
+    private final String formErrorPage;
+
+    public static final String J_SECURITY_CHECK ="j_security_check";
+    public static final String J_USERNAME = "j_username";
+    public static final String J_PASSWORD = "j_password";
+
+    public static final String SAVED_REQUEST = "SAVED_REQUEST";
+
+    private enum STATES {BEFORE_LOGIN,SHOW_LOGIN_PAGE,AFTER_LOGIN};
+
+    public static final String STATE = "STATE";
+
+    public FormAuthenticationScheme(String realm, String formLoginPage, String formErrorPage){
+        this.realm = realm;
+        this.formLoginPage = formLoginPage;
+        this.formErrorPage = formErrorPage;
+    }
+    @Override
+    public void extractCredential(HttpServletRequest request, DefaultLoginCredentials creds) {
+        if(isFormSubmitted(request)){
+            creds.setUserId(request.getParameter(J_USERNAME));
+            creds.setPassword(request.getParameter(J_PASSWORD));
+        }
+    }
+
+    @Override
+    public void challengeClient(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        HttpSession session = request.getSession();
+
+        String sessionState = (String) session.getAttribute(STATE);
+        if(sessionState == null || STATES.BEFORE_LOGIN.toString().equals(sessionState)){
+            //Save current request
+            requestCache.saveRequest(request);
+            forwardToLoginPage(request,response);
+            session.setAttribute(STATE,STATES.SHOW_LOGIN_PAGE.toString());
+        }
+    }
+
+    @Override
+    public void postAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        HttpSession session = request.getSession();
+        String state = (String) session.getAttribute(STATE);
+        if(state != null && STATES.SHOW_LOGIN_PAGE.toString().equals(state)){
+            requestCache.removeAndStoreSavedRequestInSession(request);
+            SavedRequest savedRequest = (SavedRequest) session.getAttribute(FormAuthenticationScheme.SAVED_REQUEST);
+            String requestedURI = savedRequest.getRequestURI();
+            session.setAttribute(STATE,STATES.AFTER_LOGIN.toString());
+
+            response.sendRedirect(requestedURI);
+        }
+    }
+
+    private void forwardToLoginPage(HttpServletRequest request, HttpServletResponse response){
+        RequestDispatcher rd = request.getRequestDispatcher(formLoginPage);
+        try {
+            rd.forward(request,response);
+        } catch (ServletException e) {
+            throw new RuntimeException(e);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+    private void forwardToErrorPage(HttpServletRequest request, HttpServletResponse response){
+        RequestDispatcher rd = request.getRequestDispatcher(formErrorPage);
+        try {
+            rd.forward(request,response);
+        } catch (ServletException e) {
+            throw new RuntimeException(e);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private boolean isFormSubmitted(HttpServletRequest request){
+        return request.getRequestURI().contains(J_SECURITY_CHECK);
+    }
+}

api/src/main/java/org/picketlink/authentication/web/HTTPAuthenticationScheme.java

@@ -39,5 +39,6 @@ public interface HTTPAuthenticationScheme {
     void extractCredential(HttpServletRequest request, DefaultLoginCredentials creds);
 
     void challengeClient(HttpServletRequest request, HttpServletResponse response) throws IOException;
-
+
+    void postAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException;
 }

api/src/main/java/org/picketlink/authentication/web/support/RequestCache.java

@@ -0,0 +1,79 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.picketlink.authentication.web.support;
+
+import org.picketlink.authentication.web.FormAuthenticationScheme;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * <p>
+ * This class maintains a cache of {@link SavedRequest} instances created from {@link HttpServletRequest} instances. This class
+ * is to be used during authentication to help to retrieve previous informations from the request made for the first time before
+ * the authentication process begins. It also stores the cached request in the user session for later use, if necessary.
+ * </p>
+ *
+ * @author <a href="mailto:psilva@redhat.com">Pedro Silva</a>
+ */
+public class RequestCache {
+
+    private ConcurrentHashMap<String, SavedRequest> requestCache = new ConcurrentHashMap<String, SavedRequest>();
+
+    /**
+     * <p>
+     * Saves a {@link HttpServletRequest} as a {@link SavedRequest} instance. All the state from the original request will be
+     * copied.
+     * </p>
+     *
+     * @param request
+     */
+    public void saveRequest(HttpServletRequest request) {
+        this.requestCache.put(getCurrentSession(request).getId(), new SavedRequest(request));
+    }
+
+    /**
+     * <p>
+     * Returns the user session. If no session was created a exception is raised. A valid session must exist before invoking
+     * this method.
+     * </p>
+     */
+    private HttpSession getCurrentSession(HttpServletRequest request) {
+        HttpSession session = request.getSession(true);
+
+        if (session == null) {
+            throw new IllegalStateException("Unable to cache the request. User session was not created.");
+        }
+        return session;
+    }
+
+    /**
+     * <p>
+     * Removes a cached request and stores it in the session.
+     * </p>
+     */
+    public SavedRequest removeAndStoreSavedRequestInSession(HttpServletRequest request) {
+        HttpSession session = getCurrentSession(request);
+        SavedRequest savedRequest = this.requestCache.remove(session.getId());
+
+        session.setAttribute(FormAuthenticationScheme.SAVED_REQUEST, savedRequest);
+
+        return savedRequest;
+    }
+}