I quite like to share the security domain of the portal with a servlet which is in the same application context as my portlets. (The task of the servlet is to generate some images on-the-fly, but it needs to know the security context as only authenticated and authorized users are allowed to view the generated images). Looking at the description in http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss I tried the following steps: 1. I moved the portal security domain from the login configuration for the portal (JBOSS_HOME/default/deploy/jboss-portal.sar/conf/data/login-config.xml) to the JBoss AS login configuration JBOSS_HOME/default/conf/login-config.xml). <application-policy name="portal"> | <authentication> | <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient"> | <module-option name="unauthenticatedIdentity">guest</module-option> | <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> | <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> | <module-option name="additionalRole">Authenticated</module-option> | <module-option name="password-stacking">useFirstPass</module-option> | </login-module> | | <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > | | <!-- my ldap configuration --> | | </login-module> | </authentication> | </application-policy> 2. Configured the web.xml in my application context to secure my servlet <?xml version="1.0"?> | <!DOCTYPE web-app PUBLIC | "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" | "http://java.sun.com/dtd/web-app_2_3.dtd"> | <web-app> | | <servlet> | <servlet-name>test</servlet-name> | <display-name>test</display-name> | <servlet-class>TestServlet</servlet-class> | </servlet> | | <servlet-mapping> | <servlet-name>test</servlet-name> | <url-pattern>/test</url-pattern> | </servlet-mapping> | | | <security-constraint> | <web-resource-collection> | <web-resource-name>test</web-resource-name> | <url-pattern>/test</url-pattern> | </web-resource-collection> | <auth-constraint> | <role-name>myrole</role-name> | </auth-constraint> | </security-constraint> | | <security-role> | <role-name>myrole</role-name> | </security-role> | <security-role> | </web-app> 3. Configured the jboss-web.xml in my application context to point the portal security domain <jboss-web> | <security-domain>java:jaas/portal</security-domain> | </jboss-web> The view.jsp of my portlet references the servlet <%@ taglib uri="http://java.sun.com/portlet" prefix="portlet"%> | <%@ page isELIgnored="false"%> | | <portlet:defineObjects /> | <p>Test Portlet Servlet Interaction</p> | <iframe src=?my-web-app/test? /> The servlet currently prints out the remote user name (request. getRemoteUser()) and test if the user is in role ?myrole? (request.isUserInRole(?myrole?)) With the security constraint in place I get an HTTP Status 403 - Access to the requested resource has been denied in my iframe. If I remove the security constraint that the ouput in my iframe tells me that the remote user is null and returns false for reques.isUserInRole(?myrole?). Is it possible that a serlvet shares the same security domain as my portlets? If yes, what am I doing wrong? Thanks, Anette View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4042510#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...