We've been evaluating Liferay against other 168/286 portals and have been examining how to fit it into our existing OpenSSO architecture. We use Sun's OpenSSO software at the web server level with the amagent, using headers to present identity information to applications behind the web server. This allows us to integrate our SSO system with spnego, so that our users never actually consciously log into our web apps, the web server simply challenges windows for their identity.

The caveat of this is that the web application behind the application server never really needs to interact with SSO, it simply needs to know how to interpret the headers into the meaningful data the application requires. The question of whether the headers are correct and being honestly sent from a genuine source is handled by other means that do not concern the j2ee application (in this case liferay).

Is there a type of "custom authenticator" that can simply be told to look for specified request headers and treat those request headers as the necessary values for the userid, email, given and last names?