[jboss-user] [Security & JAAS/JBoss] - Using JAAS with Thread Pools

[leobaz2]

My application consists of 2 EARs.  One EAR has the web application and presentation logic.  The other EAR consists of secured session EJBs.  

In the Web App EAR I defined a ServletContextListener that will authenticate itself with the EAR containing the secured EJBs.  I am doing this using the ClientLoginModule.  The EAR with the secured EJBs contains a SAR that defines a custom login module where I also create a custom Principal.

My problem is that when a request comes in from the web application and that thread tries to access the secured EJBs, it fails saying I am unauthorized to do so.  Does anyone know how to associate the calling thread with the security context created in the ServletContextListener?

During the JAAS authentication, I am storing the Subject returned from the login method.   I have tried Subject.doAs but it doesn't work.  I am porting my application from WebLogic where it works fine using the Subject.runAs provided by a WebLogic library.



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4193853#4193853

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4193853