I just tried with JBoss 4.0.2 and it is definitley working much better. Without any changes to the configuration of the default server of JBoss 4.0.2, I managed to do the following:
1) Create a custom login module that is creating a custom principal 2) Deploy EJB + servlet configured with the same security domain that is using my custom login module (actually it uses UsersRolesLoginModule then my custom login module that is changing the CallerPrincipal). 3) Servlet is using FORM based authentication. 4) If I call my EJBs from a remote client, EJB container performs the JAAS authentication and everything works as expected. 5) If I call the servlet from a web browser, web container performs the JAAS authentication and identity gets propagated to the EJBs that it calls. 6) The custom principal created by my login module is the one returned in EJBContext.getCallerPrincipal and HTTPServlerRequest.getUserPrincipal. Very cool, very nice :-) I still have the impression that there is something that I am not able to do in the case of the servlet compared to what I can do with a custom login module used on the remote EJB client side. In the case of the a remote EJB client, if I use a custom login module on the client side to create a custom principal, this custom principal is the one used as the key in the security domain cache. My custom login module can then generate a unique number as part of the custom principal, so two calls to "login" with the same user name and password are seen as two different users, two different authentications (one is not reusing the cached principal of the other if not yet expired). With the servlet, it does seem that I can do something like that. Somehow, I'd like to be able to customize the principal that is created before my security domain login modules are called. May be this can be achieved by customizing the FORM login (defining my own FORM login action and all). I should probably look into that. But such solution start to be FORM authentication specific. I would like it to work for BASIC authentication as well or any other ones for that matter. Am I correct in my analysis or am I still missing something? Thomas View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878465#3878465 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3878465 ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user