You have two posts referring to JAAS implementations: tomee-and-its-ssh-connector <http://rmannibucau.wordpress.com/2012/05/09/tomee-and-its-ssh-connector/>
create-a-tomee-accessible-through-ssh-with-tomee-maven-plugin <http://rmannibucau.wordpress.com/2012/10/18/create-a-tomee-accessible-through-ssh-with-tomee-maven-plugin/> In one you have: <Realm className="org.apache.catalina.realm.JAASRealm" appName="PropertiesLogin" userClassNames="org.apache.openejb.core.security.jaas.<b>UserPrincipal*" roleClassNames="org.apache.openejb.core.security.jaas.*GroupPrincipal*" /> In the other you use: <Realm className="org.apache.catalina.realm.JAASRealm" appName="PropertiesLoginModule" userClassNames="org.apache.openejb.core.security.<b>AbstractSecurityService$User*" roleClassNames="org.apache.openejb.core.security.*AbstractSecurityService$Group*"> </Realm> (note: this one is consistent with http://tomee.apache.org/tomee-jaas.html) Again, I tried both with no luck. As I mentioned earlier, while stepping through the PropertiesLoginModule I can see that I'm successfully authenticating and my role is being properly read in and added as a Principal but I'm still getting a 403. I just don't know where to look from here (i.e. what code is actually doing the authentication). -- View this message in context: http://openejb.979440.n4.nabble.com/webservice-security-basic-auth-tp4662743p4662814.html Sent from the OpenEJB User mailing list archive at Nabble.com.