Hi,

I am running JAAS on JBOSS 3.2.2x with a security domain login based on
org.jboss.security.auth.spi.DatabaseServerLoginModule

Everything works fine with web-applications that have explicit login to the security domain.
I.e. has this kind of thing in jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/mydomain</security-domain>
</jboss-web>

From login-config.xml:
<application-policy name="mydomain">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required" >
<module-option name="dsJndiName">java:/ds/mydomain</module-option>
<module-option name="principalsQuery">SELECT passWord FROM users WHERE userName = ?</module-option>
<module-option name="rolesQuery">SELECT role, 'Roles' FROM roles WHERE userName = ?</module-option>
</login-module>

</application-policy>

<application-policy name = "client-login">

<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>

</application-policy>

The problems occur when a webmodule does not have explicit login.
First time a bean instance is created the following code is executed:
LoginContext auth = new LoginContext("client-login", new UsernamePasswordHandler("myUser", "myPwd"));
auth.login();
The thing is that every time a call to that bean instance is made in another thread (but the same HttpSession ofcourse) I get
"java.lang.SecurityException: Authentication exception, principal=null"
The Bean is cached in the HttpSession. To make another call to auth.login(); before EVERY call to that bean instance solves this problem too.

Over to my tricky problem:
When the container eventually calls ejbPassivate() on the bean instance the problem reoccurs.
I have no possibility to call auth.login() in that case ofcourse, so my logs are filled with
"java.lang.SecurityException: Authentication exception, principal=null" every time a bean instance has to be passivated by the container.

Does anyone recognise this problem?
Any light on this dilemma would be highly appreciated.