How about writing an authentication pipeline
##
## Authentication Pipeline
##
#
# Input a list of comma delimited class names that implement
# com.liferay.portal.security.auth.Authenticator. These classes will run
# before or after the portal authentication begins.
#
# The Authenticator class defines the constant values that should be used
# as return codes from the classes implementing the interface. If
# authentication is successful, return SUCCESS; if the user exists but the
# passwords do not match, return FAILURE; and if the user does not exist on
# the system, return DNE.
#
# Constants in Authenticator:
# public static final int SUCCESS = 1;
# public static final int FAILURE = -1;
# public static final int DNE = 0;
#
# In case you have several classes in the authentication pipeline, all of
# them have to return SUCCESS if you want the user to be able to login. If
# one of the authenticators returns FAILURE or DNE, the login fails.
#
# Under certain circumstances, you might want to keep the information in the
# portal database in sync with an external database or an LDAP server. This
# can easily be achieved by implementing a class via LDAPAuth that updates
# the information stored in the portal user database whenever a user signs
# in.
#
# Each portal instance can be configured at run time to either authenticate
# based on user ids or email addresses. See the Admin portlet for more
# information.
#
# Available authenticators are:
# com.liferay.portal.security.auth.LDAPAuth
#
# See the LDAP properties to configure the behavior of the LDAPAuth class.
#
auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
#auth.pipeline.post=
#
# Set this to true to enable password checking by the internal portal
# authentication. If set to false, you're essentially delegating password
# checking is delegated to the authenticators configured in
# "auth.pipeline.pre" and "auth.pipeline.post" settings.
#
auth.pipeline.enable.liferay.check=true
