so now i have a custom LoginModule that subclasses the GenericHeader module that is included in jboss-as 4.2.3. the module successfully extracts the user_id from the header, sets super.loginOk to true and puts the created Principal into javax.security.auth.login.name. when i watch the TRACE messages in the server.log, i see the next few lines that say: | 2009-03-03 09:42:09,796 INFO [com.kryptiq.security.jboss.HeaderInjectionLoginModule] HeaderInjectionLoginModule:creating principal | 2009-03-03 09:42:09,796 INFO [com.kryptiq.security.jboss.HeaderInjectionLoginModule] HeaderInjectionLoginModule:login returns:true | 2009-03-03 09:42:09,802 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: admin is NOT authenticated | 2009-03-03 09:42:09,802 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=null | 2009-03-03 09:42:09,802 TRACE [org.jboss.web.tomcat.security.ExtendedFormAuthenticator] forwardToErrorPage | 2009-03-03 09:42:09,802 TRACE [org.jboss.web.tomcat.security.ExtendedFormAuthenticator] SessionID: 0C6DCFB37AFF70517F44B950CCAA64B3 | 2009-03-03 09:42:09,802 TRACE [org.jboss.web.tomcat.security.ExtendedFormAuthenticator] Setting j_username = null | 2009-03-03 09:42:09,802 TRACE [org.jboss.web.tomcat.security.ExtendedFormAuthenticator] Setting j_exception = javax.security.auth.login.LoginException: Security Exception | i'm not sure why my login module (which is returning true from login()) is begin rejected by JBossSecurityMgrRealm, saying the user is not authenticated. what i am trying to achieve is to have this custom LoginModule intercept the presence of an injected Header, and authenticate the user, and then have DatabaseServerLoginModule trust this authentication, bypass its auth phase, and provide the roles. thus the desired chain is: | 1) is the user sending a pre-authenticated Header? | 2) if so, authenticate them so DatabaseServerLoginModule can provide the Roles | 3) if not, then DatabaseServerLoginModule can send the user the login screen and authenticate them itself, and then provide the Roles. | my estimation is that there is some "interplay" between the modules that i am missing. is there a special attribute or sequence of method calls that must be performed so that DatabaseServerLoginModule will trust the previously authenticated user and just provide the roles? TIA == stanton View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214637#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...