Thank you for replying, cgriffith! Do you say that tomcat authentication (I know it quite well, just starting to switch to ejb) is the only way for jboss to remember Principal and Roles to do further security checks (as @RolesAllowed and things like myfaces "visibleOnUserRole" - ok, that's really web-dependent)? But then what about non-webapp-clients? How does a Swing client, for example, do a login to then use jboss security restrictions? Again for every bean method call? Is it a the "session" problem?
The reasons I want to switch off tomcat auth.: a) I want to set up a full-fledged user entity when loggin in b) I tried to use a LoggedInInterceptor that forwards/redirects to some "login", but with tomcat-auth, you always must send the user to some other secured page and then to intercept that somewhere else to get the rest of the user data. c) There is no FacesContext on these login form pages, so these pages Thanks again! sonja View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3953334#3953334 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3953334 Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
