Interesting and odd log entries - especially since I don't know what a good "run" should look like. I followed the security FAQ and added the necessary log4j config entries. After trundling through the info, I still see: * multiple access to the login module's login() method; and * inserts into the cache with different subject reference Id For example, I see the actual login: | 2007-02-08 14:58:03,121 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Begin isValid, principal:U174791, cache info: null | 2007-02-08 14:58:03,322 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] End isValid, true | 2007-02-08 14:58:03,322 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: U174791 is authenticated | 2007-02-08 14:58:03,332 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: | Principal: Roles(members:xxx,yyy,zzz) | Principal: U174791 | , sc=org.jboss.security.SecurityAssociation$SubjectContext@7c7d85{principal=U174791,subject=18143033} | Then access to the next URL, where the "hit" on the web app checks (and finds) the subject in cache: 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for SSO cookie | 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Checking for cached principal for D5612028A309EA8A4A5889D393B6251A | 2007-02-08 14:59:09,777 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] Found cached principal 'U174791' with auth type 'FORM' | But then access from web-app to EJB to EJB in another ear (all with same jaas policy configured) produces: | 2007-02-08 14:59:09,907 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=U174791 | 2007-02-08 14:59:09,907 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@7aed3a{principal=U174791,subject=null} | 2007-02-08 14:59:09,928 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=U174791 | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] destroy, subject=Subject: | Principal: Roles(members:xxx,yyy,zzz) | Principal: U174791 | , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b05409[Subject(23167560).principals=org.jboss.security.SimpleGroup@28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal@22316052(U174791),credential.class=java.lang.String@23438274,expirationTime=1170961028413], activeUsers=0 | 2007-02-08 14:59:09,958 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] logout, subject=Subject: | Principal: Roles(members:xxx,yyy,zzz) | Principal: U174791 | , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@b05409[Subject(23167560).principals=org.jboss.security.SimpleGroup@28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal@22316052(U174791),credential.class=java.lang.String@23438274,expirationTime=1170961028413] | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Begin isValid, principal:U174791, cache info: null | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] defaultLogin, principal=U174791 | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(acol-core-policy), size=10 | 2007-02-08 14:59:09,968 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(acol-core-policy), authInfo=AppConfigurationEntry[]: | [0] | LoginModule Class: ca.acol.core.security.login.JBossLoginModule | ControlFlag: LoginModuleControlFlag: sufficient | Options:name=auth_ds, value=auth | | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] defaultLogin, lc=javax.security.auth.login.LoginContext@1be9101, subject=Subject(2223107).principals=org.jboss.security.SimpleGroup@28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal@22316052(U174791) | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] updateCache, inputSubject=Subject(2223107).principals=org.jboss.security.SimpleGroup@28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal@22316052(U174791) | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@31ac05[Subject(17676813).principals=org.jboss.security.SimpleGroup@28014118(Roles(members:xxx,yyy,zzz))org.jboss.security.SimplePrincipal@22316052(U174791),credential.class=java.lang.String@23438274,expirationTime=1170961148415] | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.plugins.JaasSecurityManager.acol-core-policy] End isValid, true | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: | Principal: Roles(members:xxx,yyy,zzz) | Principal: U174791 | , sc=org.jboss.security.SecurityAssociation$SubjectContext@11492ed{principal=U174791,subject=28983194} | 2007-02-08 14:59:10,048 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null | | Just to clarify wars/jars/ears involved: .ear - .war - struts-based web application - .jar - contains application-specific EJBs payment.ear - payment.jar - real-time payment interface .war invokes .jar to perform custom workflow, including payment. Thus .jar calls EJBs in .jar. Various incantations of security-domain have been used all with the same application policy. Log snippets above are from with .war and payment.jar with the security-domain set to acol-core-policy. I have tried adding the same security policy to .jar, but that just increases the number of re-authentication calls. -- James - View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4013244#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...