Scott's howto is an excellent explanation in the use of JAAS and configuring JBoss Login Modules, far better than most other application servers.
But it doesnt cover web-application security in much depth and certainly not what you are after. The need to do additional processing on a logon action or supply varied error cases arnt covered by the standard authenticators (FORM,BASIC,DIGEST,NONE) in jetty/tomcat. So you can either 1) write your own FORM authenticator using org.apache.catalina.authenticator.FormAuthenticator as a base. note how the authenticator calls context.getRealm().authenticate(username, password); this uses org.jboss.web.tomcat.security.JBossSecurityMgrRealm which handles the JAAS logon based on the domain specified in jboss-web.xml where <jboss-web> <security-domain>java:/jaas/[domainname]</security-domain> </jboss-web> OR 2) have your struts action make its authentication calls first as a "pre-auth" before redirecting a user to j_security_check?j_username=user&j_password=password. the security check will then log them in properly and redirect back to the originally requested page. BUT It is not possible to use the web-constraint type web authorsation and isUserInRole without going through an authenticator mainly because when you hit a constraint page (and getUserPrincipal and isUserInRole will only work on constraint pages) the authenticator tries to re-auth to the security realm using cached credentials where Jboss then looks up the subject (principal and roles) from its cache. The thing is, in tomcat at least, these credentials are cached using Session.setNote by the authenticator so could never be set by a Servlet like your struts action. Its a real pain , id be very glad to hear anyone elses ideas on this Stuart Eccles View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3842685#3842685 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3842685 ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user