I am running JBoss3.2.1 with a java client. I have created a client login module by extending the JBoss ClientLoginModule.

On the server I extended AbstractServerLoginModule.

When I start up the client login happens on the client and the server without any problems. Authentication is done in the server login modules commit method via a database call. I am able to access all of my SessionBeans from the client without problem.

To get the message beans to work I had to do the following. I modified my login-config changing the authentication section of my application policy by adding the second login-module and setting the flag of the first to sufficient.


<login-module code = "com.tripos.chemcore.server.authentication.jboss32.JBoss32ServerLoginModule"
flag = "sufficient" />
<login-module flag="required" code="com.tripos.chemcore.server.authentication.jboss32.JBoss32AnonLoginModule" >
<module-option name="unauthenticatedIdentity">guest</module-option>
</login-module>



For my message beans that are accessed via the local interface on the server I had to create another LoginModule by extending JBoss class AnonLoginModule. I implement only the getRoleSets method.

protected Group[] getRoleSets() throws LoginException{
String[] names = {"guest"};
Group[] groups = {new SimpleGroup("Roles")};

for(int i=0; i<names.length;i++){
SimplePrincipal role = new SimplePrincipal(names);
groups[0].addMember(role);
}
return groups;
}

The call is made to this login with username and password = null. The login module assigns the user the role of guest. I modified the ejb-jar.xml to create a guest security security role for the message beans and things work great.

My question is why is this necessary. For the remote calls from the client JBoss handles the username and password. Why doesn't this happen when these calls result in a call to the local interface on the server.

I would really appreciate it if someone could explain this or point me to a reference. Things are working now but I am not sure if I did the right thing.