Well according to what you describe, you haven't implemented / configured any EJB security (where is your JAAS login module?). So it's not surprising that EJBs which you deploy with a security context are not accessible. Of course, if you comment out the security context, then access works, but then you don't have EJB security.

See the online documentation and/or the JavaWorld JBossSX article on how to configure EJB security in JBoss. It is not a trivial matter but believe me, when you follow the steps described in the documentation it works.

You also forgot to perform real login.

To have working security in you app you will need following:

On the backend:
- configured login modules which can authenticate
your username/password and assign roles based on it

- activates security in EJB descriptors

On the frontend:
- configured login modules for the frontend.
Simpliest would be ClientLoginModule which
just saves supplied data for further EJB invocations
- call to this login module from your servlet


NOte that authentication/authorisation on the frontend
and backend is not necessarily the same.

Yourprincipal/credentials will be passed to EJB backend on every invocation

> javax.security.auth.login.LoginException: No LoginModules configured for other

Yeah I fought with that one too. What is happening is that the JAAS API is looking for a file
auth.conf in the system class path, either it didn't find a file at all, or it did but this file doesn't have a JAAS configuration called "other" in it.


> I know this is happening because when the
> "LoginContext lc = new
> LoginContext("other",handler);" is called, it
> searches for "other" in the
> jboss.home/conf/tomcat/auth.conf file instead of
> jboss.home/client/auth.conf file.

Well, if your code is running in your servlet environment, it probably makes sense that it would be looking in the tomcat/auth.conf ? In this case why don't you copy your "other" config to that file too. Or, you name that config "client" (for example) and use that as a LoginContext.

Actually, I haven't been using the embedded tomcat, but have an existing Tomcat which now accesses JBoss. I had some problems because I found out that in the JAAS API it is hard-coded that it calls the System classloader and not the default classloader (which is a different one in Tomcat). In this case, I had to explicitly add the JAAS jar and my own login stuff in the classpath while starting Tomcat. But you shouldn't need to do that if you are using the embedded tomcat.

Keep at it, it will work ...
Wolfgang

> However, when I call the bean from a new
> location(another class) in the application, I find
> that I have to login again in order to access the
> bean. Isn't the
> Login context supposed to be stored somewhere till I
> do a logout? Why do I have to login again and again
> every time I want to call a method in a bean?

This is not happening in my demo application, but I've also been wondering about this very important issue. Is your other class running in the same thread ?
Can anyone give us some input as to how/where exactly credentials are stored by JBoss; in which case it remembers them between calls and in which case it doesn't ?

(yeah I know, there's the source code - I've actually started looking at it but it would certainly be helpful if we had some more info on this)

Security information is stored in thread local variables depending on the SecurityAssociation server attribute. When true, security credentials are a property of threads. When false, security credentials are static global properties avaliable across all threads. Inside the JBoss server VM the server attribute is always true. A client can control this property through the ClientLoginModule multi-threaded boolean property.