Ok, I seem to have run into a bit of an issue with my application. Firstly, I have an application-policy set up in login-config.xml, and configured with the web-tier, such that in order to access any servlets (actually web services), it requires DIGEST authentication (looked up in the database) Here is the login-config.xml. Everything else in it is as per default: <application-policy name="MyDomain"> | <authentication> | <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> | <module-option name = "dsJndiName">java:/myDS</module-option> | | <module-option name = "principalsQuery">SELECT password_hash FROM auth WHERE user_id=?</module-option> | <module-option name = "rolesQuery">SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=?</module-option> | <module-option name = "hashAlgorithm">MD5</module-option> | <module-option name = "hashEncoding">rfc2617</module-option> | <module-option name = "hashUserPassword">false</module-option> | <module-option name = "hashStorePassword">true</module-option> | <module-option name = "passwordIsA1Hash">true</module-option> | <module-option name = "storeDigestCallback">org.jboss.security.auth.spi.RFC2617Digest</module-option> | </login-module> | </authentication> | </application-policy> These services access EJBs, which are set up thus: @Stateful | @Local(CategoriesManagerLocal.class) | @SecurityDomain("MyDomain") | @RolesAllowed({"Soap","Native"}) | public class CategoriesManagerBean implements CategoriesManagerLocal { This is working fine at the moment, HOWEVER, I also need to access these beans from an incoming JCA Resource Adapter (i.e. a custom TCP/IP protocol) which, as part of the protocol does it's own DIGEST authentication implementation. What I need to do, is programatically authenticate this user with the container, so that I can then access these same beans. I had tried accessing them like this: Properties env = new Properties(); | env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.LoginInitialContextFactory"); | env.setProperty(Context.PROVIDER_URL, "jnp://localhost:1099"); | env.setProperty(Context.SECURITY_PROTOCOL, "MyDomain"); | env.setProperty(Context.SECURITY_PRINCIPAL, String.valueOf(user.getId())); | env.setProperty(Context.SECURITY_CREDENTIALS, user.getPasswordHash()); | | Context ctx = new InitialContext(env); | CategoriesManagerLocal categoriesBean = (CategoriesManagerLocal) ctx.lookup("myapp/CategoriesManagerBean/local"); | categoriesBean.doMyAction(); This, naturally fails, as I'm passing in the already hashed password (I cannot access the plaintext of it) from the database, as the credentials, but the settings in the application-policy mean that it will try and use that hashed data as the plaintext, and thus I get: FATAL [com.myorg.myapp] Failed to login using protocol=MyDomain So I tried to add a second application-policy, "MyDomainInternal" to login-config.xml, which has all the hashing options taken out, and referring to that in the SECURITY_PROTOCOL, which seems to authenticate the user ok, but then it seems to also check against the "MyDomain" policy, and fails. Is this because I have specified @SecurityDomain("MyDomain") on the EJB? There doesn't seem to be any way to define multiple domains on a bean. Logfile with security TRACE options enabled follows: 2007-06-07 16:01:51,701 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(MyDomainInternal), size=10 | 2007-06-07 16:01:51,701 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(MyDomainInternal), authInfo=AppConfigurationEntry[ | ]: | [0] | LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule | ControlFlag: LoginModuleControlFlag: required | Options:name=rolesQuery, value=SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=? | name=principalsQuery, value=SELECT password_hash FROM auth WHERE user_id=? | name=dsJndiName, value=java:/myDS | | 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize, instance=@2036027929 | 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Security domain: FirstAlertGatewayInternal | 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/myDS | 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT password_hash FROM auth WHERE user_id=? | 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=? | 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendResume=true | 2007-06-07 16:01:51,702 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login | 2007-06-07 16:01:51,703 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction | 2007-06-07 16:01:51,704 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT password_hash FROM auth WHERE user_id=?, with username: 0 | 2007-06-07 16:01:51,705 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Obtained user password | 2007-06-07 16:01:51,705 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction | 2007-06-07 16:01:51,706 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User '0' authenticated, loginOk=true | 2007-06-07 16:01:51,706 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true | 2007-06-07 16:01:51,706 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] getRoleSets using rolesQuery: SELECT role AS Role,"Roles" AS RoleGroup FROM role WH | ERE user_id=?, username: 0 | 2007-06-07 16:01:51,706 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction | 2007-06-07 16:01:51,709 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=?, | with username: 0 | 2007-06-07 16:01:51,710 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role Native | 2007-06-07 16:01:51,710 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Assign user to role Soap | 2007-06-07 16:01:51,710 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction | 2007-06-07 16:01:51,789 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null | 2007-06-07 16:01:51,789 TRACE [org.jboss.security.plugins.JaasSecurityManager.MyDomain] Begin isValid, principal:null, cache info: null | 2007-06-07 16:01:51,789 TRACE [org.jboss.security.plugins.JaasSecurityManager.MyDomain] defaultLogin, principal=null | 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(MyDomain), size=10 | 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(MyDomain), authInfo=AppConfigurationEntry[]: | [0] | LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule | ControlFlag: LoginModuleControlFlag: sufficient | Options:name=hashEncoding, value=rfc2617 | name=rolesQuery, value=SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=? | name=principalsQuery, value=SELECT password_hash FROM auth WHERE user_id=? | name=hashUserPassword, value=false | name=passwordIsA1Hash, value=true | name=hashAlgorithm, value=MD5 | name=hashStorePassword, value=true | name=storeDigestCallback, value=org.jboss.security.auth.spi.RFC2617Digest | name=dsJndiName, value=java:/myDS | | 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize, instance=@5298117 | 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Security domain: MyDomain | 2007-06-07 16:01:51,790 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Password hashing activated: algorithm = MD5, encoding = rfc2617, charset = {default | }, callback = null, storeCallback = org.jboss.security.auth.spi.RFC2617Digest | 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/myDS | 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT password_hash FROM auth WHERE user_id=? | 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT role AS Role,"Roles" AS RoleGroup FROM role WHERE user_id=? | 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendResume=true | 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login | 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Authenticating as unauthenticatedIdentity=null | 2007-06-07 16:01:51,791 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction | 2007-06-07 16:01:51,792 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT password_hash FROM auth WHERE user_id=?, with username: null | 2007-06-07 16:01:51,793 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Query returned no matches from db | 2007-06-07 16:01:51,793 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction | 2007-06-07 16:01:51,794 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort | 2007-06-07 16:01:51,794 TRACE [org.jboss.security.plugins.JaasSecurityManager.FirstAlertGateway] Login failure | javax.security.auth.login.FailedLoginException: No matching username found in Principals | at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:152) | at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:206) | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) | ... Am I close, or totally barking up the wrong tree? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4051960#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...