Hi all, I'm an newby in AS development, so excuse my ignorance (and my joggled english). Actually I'm challenged with the implementation of the security layer of my application (called tms). My configuration: I put the client-application as jar-file with all further needed libraries into one war-file, next with the server ejb and further service archives into one (huge) ear-file. Deployment without any security works fine. I have to meet the requirement to verify the login against LDAP, so I set up my application policy in server/tms/conf/login.config.xml: | <application-policy name = "tms"> | <authentication> | <login-module code="org.jboss.security.auth.spi.LdapLoginModule" | flag="required"> | <module-option name="java.naming.factory.initial"> | com.sun.jndi.ldap.LdapCtxFactory | </module-option> | <module-option name="java.naming.provider.url"> | ldap://ldapserver:389/ | </module-option> | <module-option name="java.naming.security.authentication"> | simple | </module-option> | | <module-option name="password-stacking">useFirstPass</module-option> | | .... | | </login-module> | <login-module code="org.jboss.security.ClientLoginModule" | flag="required"> | <module-option name="password-stacking">useFirstPass</module-option> | </login-module> | </authentication> | </application-policy> | I configured my web-application in war/web-inf/web.xml: | <security-constraint> | <web-resource-collection> | <web-resource-name>restricted</web-resource-name> | <url-pattern>/*</url-pattern> | </web-resource-collection> | <auth-constraint> | <role-name>tms.user</role-name> | </auth-constraint> | <transport-guarantee>NONE</transport-guarantee> | </security-constraint> | | <login-config> | <auth-method>BASIC</auth-method> | <realm-name>TMS</realm-name> | </login-config> | | <security-role> | <role-name>tms.user</role-name> | </security-role> | As result, when requesting my application from within a webbrowser (localhost:8080/tms) I see a standard web-login dialog, the login works fine, it even refuses wrong user/passwords ;). But the first try to request an EJB fails with anonymous wrote : [LdapLoginModule] Bad password for username=null So what's missing, how do I propagate the principal/credential from the initial login to the EJB-request ? One further challenge: I have to modify the Login dialog to insert a further 'mandatory' field, where can I configure and introduce my own dialog ? Thanks in advance, Matz View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4056823#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...