It ended up being a bug in Jetty. For form based auth, jetty doesn't
call user.authenticate() (except on the first login post) and so it
doesn't associat a subject with activeSubject in the security manager.
So when it tries to authorize the user in the role, the subject is null
and so it fails.
Message -
From: "Joel Shellman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 17, 2001 10:35 PM
Subject: [JBoss-dev] Bug in JaasSecurityManager in 2.4.3
> At least I'm pretty sure. I'm doing source level debugging and
> activeSubject
At least I'm pretty sure. I'm doing source level debugging and
activeSubject (the thread local variable) never gets set during a
request.
Well, this results in the role never being authorized because line 195
always returns null (the thread local always returns null because it's
never set for thi