Thanks for the quick reply. Where do I set unathenticatedIdentity?

I searched the forums, google and the source code and found nothing on the subject. I'll try setting it as a parameter to the login module.

Just a second after posting this turns out I already have this code in my login-config.xml:
<login-module code="org.jboss.security.auth.spi.AnonLoginModule" flag="required">
<module-option name="unauthenticatedIdentity">guest</module-option>
</login-module>


You must have miss spelled the string. Anyway this obviously doesn't help since I don't go through the login module during the servlet init() method.

Okay, I wrote a workaround. Its crap and I didn't want to do this but apparently its the only way that works that doesn't ivolve getting deep into the guts of JBoss.

I created a servlet that starts a thread in the init() method and calls itself over by requesting its own URL. Then the servlet service method that is running as a guest user can perform the initialization.

This sucks! While it works its:

1. Insecure, since initialization can be a lengthly process people over on the internet can use it as a DoS attack by simply requesting the servlet (they couldn't do the same with a session bean, even a remote session bean won't be accessible VIA the firewall).

2. I have to wait 1 second within the init() in order to do the callback. So JBoss may claim that it finished initialization when in fact it hasn't.

I think the whole JBoss security module is really problematic, someone tried to make it elegant and instead made it too complex and almost useless.

Even this doensn't work and I'm getting tired of this whole thing.
By using unauthenticatedIdentity the servlet gets the guest role but whenever my webclient tries to enter the page (with Basic authentication) it gets back the wrong http reply (as if the permission is denied rather than authentication is required).