Mete, Thank you for the response. Unfortunately, I am still having troubles.
I have: * confirmed that the Tomcat Valve is being loaded correctly. * defined the TomcatLoginCommand in services-config.xml (see below). * secured the destination (see remoting-config.xml below). * configured JBoss to use a UsersRolesLoginModule and added the user and basic_access role (same concept as adding Tomcat users and roles). * not set any credentials in the Actionscript code. * DID NOT secure the endpoint in the web.xml since your guidance didn't included it and therefore implies you don't need to. The results? I was not prompted with the web browser Basic login prompt and the destination was not secured. I could contact the destination even though I was not authenticated. It didn't work! Ahhhhhhhhhhhh. Any other thoughts? Jim === services-config.xml === <?xml version="1.0" encoding="UTF-8"?> <services-config> <services> <service-include file-path="remoting-config.xml" /> <service-include file-path="messaging-config.xml" /> </services> <factories> <factory id="ejb" class="com.adobe.ac.ejb.EJB3Factory" /> </factories> <security> <login-command class="flex.messaging.security.TomcatLoginCommand" server="JBoss"/> <security-constraint id="basic-access"> <auth-method>Basic</auth-method> <roles> <role>basic_access</role> </roles> </security-constraint> </security> === remoting-config.xml === <?xml version="1.0" encoding="UTF-8"?> <service id="remoting-service" class="flex.messaging.services.RemotingService"> <adapters> <adapter-definition id="java-object" class="flex.messaging.services.remoting.adapters.JavaAdapter" default="true" /> </adapters> <default-channels> <channel ref="polling-channel" /> </default-channels> <destination id="DataGenerator"> <properties> <factory>ejb</factory> <source>dashboard/DataGeneratorBean</source> </properties> <security> <security-constraint id="basic-access"/> </security> </destination> </service> --- In flexcoders@yahoogroups.com, "meteatamel" <[EMAIL PROTECTED]> wrote: > > Hi Jim, > > The short answer is that TomcatLoginCommand uses Tomcat valve to do > its authentication/authorization but here's a writeup I have on > BlazeDS security that should clarify things. > > -Mete