Hi,

I'm using JBoss 2.4.4 / Tomcat 4.0.1 bundle. My servlet does
authenticationManager.isValid(principal, password);
realmMapping.doesUserHaveRole(principal, requiredRoles);
for authentication and authorization. Both works fine after deployment.

After that I use
SecurityAssociation.setPrincipal(principal);
SecurityAssociation.setCredential(password);
SecurityAssociation.pushRunAsRole(role);
to propagate the login information to the environment. Even though I've done
this, catalina webserver still denies access to a secured servlet, which
has a security constraint:

------------------------------------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>RestrictedAdminServletPath</web-resource-name>

This servlet is accessible for authenticated administrators
who are in role "admin".

<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Biber Servlet</realm-name>
</login-config>
<security-role>
Users allowed to use AdminServlet
<role-name>admin</role-name>
</security-role>
------------------------------------------------------------

The previously authenticated user is in role "admin", of course.
This information is included in pincipal object. So it seems that the webserver
dosn't get the data from SecurityAssociation, or maybe the mapping from
"role" in servlet to "role-name" in web.xml deployment descriptor doesn't work.

Any suggestions? Am I missing a configuration?

Bert