After you install and configure the SAM, you can bind it for use by the container on behalf of one or more of your applications. You have two options in how you bind the SAM, depending on whether you are willing to repackage and redeploy your application:
If you are willing to repackage and redeploy, you can bind the SAM using the sun-web.xml file. Set the value of the httpservlet-security-provider attribute of the sun-web-app element to the SAM's configured provider ID, for example, MySAM. For more information about the sun-web.xml file, see the Oracle GlassFish Server 3.0.1 Application Deployment Guide. This option leverages the native AuthConfigProvider implementation that ships with the GlassFish Server.
Another approach is to develop your own AuthConfigProvider and register it with the GlassFish Server AuthConfigFactory for use on behalf of your applications. For example, a simple AuthConfigProvider can obtain, through its initialization properties, the classname of a SAM to configure on behalf of the applications for which the provider is registered. You can find a description of the functionality of an AuthConfigProvider and of the registration facilities provided by an AuthConfigFactory in the JSR 196 specification.