Daniel Jipa wrote:
Is there another solution besides installing them as modules ? Because I have to load multiple jars there ...
Not at this time. I posted the following update to the jira issue
This is by design (explanation to follow). Although instead of modifying the security module, the best approach is to define a new static module with its own jar (placing it in the modules dir) and reference it using the module="" tag in the security domain login module stack.
The reason it is not possible to use application classes is that remoting connections perform authentication once during the negotiation phase of the connection, and all subsequent ejb (or jndi etc) invocations share the same connection. So an authenticated connection can potentially span an arbitrary number of applications, and that information can not be known at the time of authentication
So in a nutshell we don't know which deployment is going to be invoked, and since more than one can be invoked, even if we did there is ambiguity. If you have to have completely different authentication/authorization code for multiple applications this means defining multiple separate realm and security domain configurations.