I'm currently writing a module to add the CAS Filter [1] functionalities to Magnolia.
The interest of CAS is that the client application (Magnolia here) will never see the login / password which is directly sent to the CAS server by SSL tunnel, and then the client application checks if the user has been logged in to the CAS server (with a "ticket" system).

In Magnolia, the SecurityFilter is the only one to know which URL must be protected, reading the conf from JCR. It uses the JAAS LoginModule system to authenticate the user, BUT when calling the JAAS LoginModule, it's allready too late, the login page has been sent to the user by the SecurityFilter, and login & password sent to Magnolia.
I've written the CAS Module using a class which extends the SecurityFilter (in order to beneficiate of the JCR URL path resolution), BUT I've been forced to put the static final properties and the authenticate method in protected visibility.

I think, it should be protected, in order to extend the filter in the way I've extended it.
Thanks,
Anthony