The answer is yes you do you need an entry in web.xml to prevent the above exception
| <security-constraint> |
| | <web-resource-collection> |
| | <web-resource-name>All resources</web-resource-name> |
| | <description>Protects all resources</description> |
| | <url-pattern>*.do</url-pattern> |
| | </web-resource-collection> |
| </security-constraint> |
I also found that you now need a jboss-web.xml file aswell as a jboss-app.xml, in the old versions of AS 4.2.3 the jboss-app.xml was all that was needed in an ear file..
I have now ported openam 3.0.3 agent to work using a module in as7 via servlet3 login and the changes above