I've seen this question posted, but alas no answers.
Per the instructions at http://www.jboss.org/documentation/HTML/ch11s78.html, I have been able to secure my Jboss beans using a stand-alone java program.
However, copying the exact same code into a servlet hosted by my jboss-jetty configuration (a stock configuration distributed on the Jboss site), it fails to work! The behavior that I'm noticing is that the "ClientLoginModule" is called as in the case with the stand-alone class, _but_the_server_side_LoginModule_is_NEVER_ called when run in this combination.
I have tried the following:
1) Running bean and servlet in the same ear file
2) Running bean and servlet in separate ear files
3) Setting servlet java.security.auth.login.config to point to the SERVER auth file instead of the client (In this case, the server side login module is called, but the principal and roles are not passed to the bean).
If any of you have any ideas as to what might be happening, I would appreciate it greatly. We really would like to run JBoss/Jetty in a production environment, but this problem is hampering that initiative.
Thanks in advance!
Han Yuan
