Hi All, I am attempting to secure both my EJB and web content.
I have implemented a login servlet and login filter as per the instructions in jaas_howto and this is all working as expected with the principal being propagated through to the EJB layer. Heavy going but an excellent document. However what surprised me was that when I secured some web content using BASIC HTTP authentication I was still asked for the username and password even after logging on. Reading the howto document I was under the impression that the filter using the ClientLoginModule would transfer these details so they would be visible to the web layer. The jass_howto example does not really exercise this case i,e logging on and then accessing a secured servlet. In my application now the user successfully logs on and then keeps getting asked for a username and password every time they request secure content I have read some alternative solutions, one being to code another filter to reject all access to anything other than the login however I would sooner use the declarative approach since then I can control based on role and I will need to use the role in this layer. (I bet isInRole will not work also) Am i doing something wrong or is this the expected behaviour? If its the latter how is everyone else achieving this using declarative security? Any help would be much appreciated. Lea. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3847892#3847892 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3847892 ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user