> The principal is created in the client login module,
> and propagated across the wire. Why don't you extend
> the client side stuff? You will have to write another
> Principal, since the SimplePrincipal used by
> ClientLoginModule holds only a single string, and
> yours needs to hold two - the user and ssn.

Yeah that is what i had in mind, but after i traced through the login modules, there is no principal being created anywhere with that username (I am not using 'shared login'. What does that mean? I guess that is jboss specifc? ). I put a println in everywhere a new SimplePrincipal or new Principal gets created and nothing ever gets created with 'ssn##java'; only 'java'. Can you give it a try?


> The ssn could be collected by a TextInputCallback.setText()in your callback handler.

This will not work. I tried it and my login fails everytime, unless i take the line including TextInputHandler out of the code; heck nothing comes back from the container, no messages or debug statements or anything. This looks like a bug. It is unclear how the TextInputHandler would even map to a login form anyways. Maybe there should be a HTMLInputHandler class that takes the name of the field as a constructor argument. What if i had two or three or four other values on the login page? How would i distinguish between them?

The more i see of JAAS in JBoss the more frustrated i get. I am not sure if it is just this implementation or jaas in general. It seems very inflexible.

1) I can't manually login against the container and have resources available to me other than from the Servlet in which I did the manual login call.

I should be able to create a login page and have it call my login servlet, do the login, and if successful, have access to any protected resource allowed to me without having to login on every request.


2) The mapping of callbacks to the form inputs is very unclear. What does the prompt arguement do for a HTML form?











>
> I recall the contributed server-side code also uses a
> SimplePrincipal, so you'll need to make some
> extensions/changes there, too.

> not sure if this is what you are looking for
> but in ClientLoginModule
> search for
> SecurityAssociation.setPrincipal(new
> SimplePrincipal(username));

Where is this class? I do not see it in CVS. Since it is not imported it must be in the org.jboss.security package. This means it is not portable. I thought the whole idea of using Jaas for authentication and authorization was to be portable?

i dont see a 'SecurityAssociation" source there. Can you take a look?