Hi again; i have forgotten that in the login-config.xml i have inserted this:

<!-- Bind workflow security domain to staffmgmt authentication -->
<application-policy name = "danetworkflow">
<authentication>
<login-module code = "org.jboss.security.auth.spi.ProxyLoginModule"
flag = "required">
<module-option name = "moduleName">de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "daemonUsername">daemon</module-option>
<module-option name = "daemonPassword">Afaik,tiagp.</module-option>
</login-module>
</authentication>
</application-policy>

<!-- Bind workflow security domain to staffmgmt authentication -->
<application-policy name = "danetworkflow-ia">
<authentication>
<login-module code = "org.jboss.security.auth.spi.ProxyLoginModule"
flag = "required">
<module-option name = "moduleName">de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "Principal">StaffManagementRole_0</module-option>
</login-module>
</authentication>
</application-policy>

Hi i haven't showed the de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule, here it is:

import java.security.acl.Group;
import java.util.Map;
import java.util.List;
import java.util.ArrayList;
import java.sql.Connection;
import java.sql.Statement;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import javax.sql.DataSource;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;

/**
 * A login module that uses methods from the staff management package
 * to authenticate the users.<P>
 *
 * The resulting LoginContext has as CallerPrincipal
 * "<code>StaffManagementMember_<i>DBId</i></code>" where
 * <code><i>DBId</i></code> is the primary key of the
 * <code>StaffManagementMember</code>.<P>
 *
 * Every authenticated user has a default role
 * "<code>StaffManagementUser</code>" assigned. Additional
 * roles are derived from the group memberships of the authenticated
 * member. Groups with primary keys less than 100 have role names
 * "<code>StaffManagementRole_<i>DBId</i></code>" where
 * <code><i>DBId</i></code> is the primary key of the
 * <code>StaffManagementGroup</code>. For other groups the group
 * name is used directly as role name.<P>
 *
 * Groups with primary keys below 100 are handled specially to simplify
 * internationalization. Those group ids are never assigned when a group
 * is created. Rather, those are predefined groups such as "administrators"
 * with permissions properly configured in the deployment descriptors.
 * By using "<code>StaffManagementRole_<i>DBId</i></code>" as role,
 * it is not necessary to modify the deployment descriptors when the
 * group name of those administrative groups is changed.
 */
public class StaffMemberLoginModule extends UsernamePasswordLoginModule {

 private String dsJndiName;
 private String daemonUsername = null;
 private String daemonPassword = null;

 /**
 * Initialize this LoginModule.
 */
 public void initialize(Subject subject, CallbackHandler callbackHandler,
 Map sharedState, Map options) {
 super.initialize(subject, callbackHandler, sharedState, options);

 dsJndiName = (String) options.get("dsJndiName");
 if( dsJndiName == null ) {
 dsJndiName = "java:/DefaultDS";
 }

 daemonUsername = (String) options.get("daemonUsername");
 daemonPassword = (String) options.get("daemonPassword");
 }

 /**
 * Return <code>null</code> as the cleartext password is not available.
 * This is not a problem as we override <code>validatePassword</code>
 * as well.
 * @return null
 * @throws LoginException as defined by the interface, not really thrown.
 */
 protected String getUsersPassword() throws LoginException {
 return null;
 }

 /**
 * The validation of the input password against the expected password.
 * This version ignores the value of the expected password and uses
 * methods from staff management to verify the password.
 * @param inputPassword the password as given by the user.
 * @param expectedPassword the expected password, ignored.
 * @return true if the inputPassword is valid, false otherwise.
 */
 protected boolean validatePassword
 (String inputPassword, String expectedPassword) {
 if(getUsername() == null || inputPassword == null) {
 return false;
 }
 if (daemonUsername != null && getUsername().equals (daemonUsername)
 && daemonPassword != null
 && inputPassword.equals (daemonPassword)) {
 return true;
 }
 Connection con = null;
 PreparedStatement ps = null;
 ResultSet rs = null;
 try {
 InitialContext ctx = new InitialContext();
 DataSource ds = (DataSource) ctx.lookup(dsJndiName);
 con = ds.getConnection();
 // Get the password
 ps = con.prepareStatement
 ("SELECT PASSWORD FROM STAFFMEMBER WHERE MEMBERID = ?");
 ps.setString(1, getUsername());
 rs = ps.executeQuery();
 if(rs.next()) {
 return rs.getString(1).equals (inputPassword);
 }
 } catch(NamingException ex) {
 ex.printStackTrace();
 } catch(SQLException ex) {
 ex.printStackTrace();
 } finally {
 try {
 closeAll (rs, ps, con);
 } catch (SQLException ex) {
 ex.printStackTrace();
 }
 }
 return false;
 }

 /**
 * Overriden to return the Groups that correspond to the role sets
 * assigned to the user. Creates a Group named "Roles" that
 * contains the Role "StaffManagementUser". A second group is
 * "CallerPrincipal" that provides the
 * {@link de.danet.an.staffmgmt.domain.StaffMember#key
 * application identity} rather than the security domain identity.
 * @return Group[] containing the sets of roles
 * @throws LoginException as defined by the interface, not really thrown.
 */
 protected Group[] getRoleSets() throws LoginException {
 if (getUnauthenticatedIdentity() != null
 && getIdentity().equals (getUnauthenticatedIdentity())) {
 Group[] grps = new Group[0];
 return grps;
 }
 if (daemonUsername != null && getUsername().equals (daemonUsername)) {
 // Create Caller Principal
 SimpleGroup princip = new SimpleGroup("CallerPrincipal");
 princip.addMember
 (new SimplePrincipal ("StaffManagementMember_Daemon"));
 // create roles, start with default role
 Group roles = new SimpleGroup("Roles");
 SimplePrincipal p = new SimplePrincipal("StaffManagementUser");
 roles.addMember(p);
 p = new SimplePrincipal("StaffManagementRole_Daemon");
 roles.addMember(p);
 Group[] grps = new Group[] { princip, roles };
 return grps;
 }
 List groups = new ArrayList();
 // gather information
 Connection con = null;
 try {
 // prepare db connection
 InitialContext ctx = new InitialContext();
 DataSource ds = (DataSource) ctx.lookup(dsJndiName);
 con = ds.getConnection();
 // Create Caller Principal
 long memberDBId = addCallerPrincipal (con, groups);
 // create roles, start with default role
 SimpleGroup rolesGroup = new SimpleGroup("Roles");
 groups.add (rolesGroup);
 SimplePrincipal p = new SimplePrincipal("StaffManagementUser");
 rolesGroup.addMember(p);
 // add roles from db
 addGroupsAsRoles (con, rolesGroup, memberDBId, true);
 } catch(NamingException ex) {
 throw new LoginException(ex.toString(true));
 } catch(SQLException ex) {
 ex.printStackTrace();
 throw new LoginException(ex.toString());
 } finally {
 try {
 closeAll (null, null, con);
 } catch (SQLException ex) {
 ex.printStackTrace();
 throw new LoginException(ex.toString());
 }
 }

 Group[] roleSets = new Group[groups.size()];
 groups.toArray(roleSets);
 return roleSets;
 }

 /**
 * Adds the "CallerPrincipal" group with the autheticated user as
 * principal to the groups.
 *
 * @param con the connection to the database.
 * @param groups the groups.
 * @return the DBId of the authenticated user.
 */
 private long addCallerPrincipal (Connection con, List groups)
 throws SQLException, LoginException {
 PreparedStatement ps = null;
 ResultSet rs = null;
 long dbid = 0;
 try {
 ps = con.prepareStatement
 ("SELECT DBID FROM STAFFMEMBER WHERE MEMBERID = ?");
 ps.setString(1, getUsername());
 rs = ps.executeQuery();
 if(! rs.next()) {
 throw new LoginException
 ("Authenticated user vanished from table");
 }
 dbid = rs.getLong(1);
 SimpleGroup rolesGroup = new SimpleGroup("CallerPrincipal");
 groups.add(rolesGroup);
 rolesGroup.addMember
 (new SimplePrincipal
 ("StaffManagementMember_" + dbid));
 } finally {
 closeAll (rs, ps, null);
 }
 return dbid;
 }

 /**
 * Adds the roles derived from the groups in the database.
 *
 * @param con the connection to the database.
 * @param roles the groups.
 * @param id the dbid for which to add the groups.
 * @param isMember <code>true</code> if <code>id</code> is a
 * staff member id (not a staff group id).
 * @return the DBId of the authenticated user.
 */
 private void addGroupsAsRoles (Connection con, SimpleGroup roles,
 long id, boolean isMember)
 throws SQLException, LoginException {
 PreparedStatement ps = null;
 ResultSet rs = null;
 try {
 String type = "M";
 if (!isMember) {
 type = "G";
 }
 ps = con.prepareStatement
 ("SELECT GROUPID FROM STAFFMAP "
 + "WHERE CONTAINED = ? AND TYPE = ?");
 ps.setLong(1, id);
 ps.setString(2, type);
 rs = ps.executeQuery();
 while(rs.next()) {
 long grpId = rs.getLong(1);
 if (grpId < 100) {
 roles.addMember (new SimplePrincipal
 ("StaffManagementRole_" + grpId));
 } else {
 roles.addMember
 (new SimplePrincipal (lookupGroup (con, grpId)));
 }
 addGroupsAsRoles (con, roles, grpId, false);
 }
 } finally {
 closeAll (rs, ps, null);
 }
 }

 /**
 * Looks up the group name for a given group id.
 *
 * @param con the connection to the database.
 * @param id the group id
 * @return the group name.
 */
 private String lookupGroup (Connection con, long grpId)
 throws SQLException, LoginException {
 PreparedStatement ps = null;
 ResultSet rs = null;
 try {
 ps = con.prepareStatement
 ("SELECT NAME FROM STAFFGROUP WHERE DBID = ?");
 ps.setLong(1, grpId);
 rs = ps.executeQuery();
 if (!rs.next()) {
 throw new LoginException
 ("Group vanished from table");
 }
 return rs.getString(1);
 } finally {
 closeAll (rs, ps, null);
 }
 }

 /**
 * Close a connection, a prepared statement or a statement and a
 * result set, if allocated, i.e. if != null.
 * @param rs a result set or null.
 * @param st a prepared statement, statement or null
 * @param con a connection or null.
 * @throws SQLException if a sql error occurs.
 */
 private void closeAll (ResultSet rs, Statement st,
 Connection con) throws SQLException {
 if (rs != null) {
 rs.close ();
 }
 if (st != null) {
 st.close ();
 }
 if (con != null) {
 con.close ();
 }
 }
}

Hi again.. well i have changed my servlet code; now it's this one:

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Principal;

import java.util.Set;
import java.util.Iterator;

import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpSession;

import java.io.IOException;

public class Dispatcher extends HttpServlet {

 /** The WLS security class. Indicates if WLS security is used. */
 private Class wlsSec = null;

 /** The context used for the login and logout operations */
 private LoginContext loginContext;
 private static final org.apache.commons.logging.Log logger
 = org.apache.commons.logging.LogFactory.getLog
 (Dispatcher.class);

 private String applicationPolicy = "client-login";

 //Initialize global variables
 public void init() throws ServletException {
 }

 //Process the HTTP Get request
 public void doGet(HttpServletRequest request, HttpServletResponse response) throws
 ServletException, IOException {
 doPost( request, response );
 }

 //Process the HTTP Post request
 public void doPost(HttpServletRequest request, HttpServletResponse response) throws
 ServletException, IOException {

 String username = request.getParameter( "username" );
 String password = request.getParameter( "password" );
 System.out.println( "Tento login con username: ["+ username+ "] e password: ["+password+"]" + " Il principal è nullo? "+ ( request.getUserPrincipal() ) );
 request.getRequestDispatcher( "/processDef.jsp" ).forward( request, response );
 //response.sendRedirect( "processDef.jsp" );

 }

 //Clean up resources
 public void destroy() {
 }
}

import java.io.IOException;

import java.util.Set;
import java.util.Iterator;
import java.util.Enumeration;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Principal;


import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.jboss.security.SimplePrincipal;

import de.danet.an.workflow.api.WorkflowServiceFactory;
import de.danet.an.workflow.api.WorkflowService;

public class LoginFilter implements Filter {

 private String applicationPolicy = null;
 private static final org.apache.commons.logging.Log logger
 = org.apache.commons.logging.LogFactory.getLog
 (LoginFilter.class);

 /**
 * Simple login context for authentication.
 */
 private static class LoginFilterLoginContext extends LoginContext {

 private static class CBH implements CallbackHandler {
 private String userName = null;
 private String password = null;

 public CBH(String userName, String password) {
 this.userName = userName;
 this.password = password;
 }

 public void handle(Callback[] callbacks) throws
 UnsupportedCallbackException, IOException {

 for (int i = 0; i < callbacks.length; i++) {
 if (callbacks instanceof TextOutputCallback) {
 // display the message according to the specified type
 TextOutputCallback toc
 = (TextOutputCallback) callbacks;
 switch (toc.getMessageType()) {
 case TextOutputCallback.INFORMATION:
 System.err.println(toc.getMessage());
 break;
 case TextOutputCallback.ERROR:
 System.err.println("ERROR: " + toc.getMessage());
 break;
 case TextOutputCallback.WARNING:
 System.err.println("WARNING: " + toc.getMessage());
 break;
 default:
 throw new IOException
 ("Unsupported message type: "
 + toc.getMessageType());
 }
 } else if (callbacks instanceof NameCallback) {
 // prompt the user for a username
 NameCallback nc = (NameCallback) callbacks;
 nc.setName(userName);
 } else if (callbacks instanceof PasswordCallback) {
 // prompt the user for sensitive information
 PasswordCallback pc = (PasswordCallback) callbacks;
 pc.setPassword(password.toCharArray());
 } else if (callbacks.getClass().getName().equals
 ("weblogic.security.auth.callback.URLCallback")) {
 } else {
 throw new UnsupportedCallbackException
 (callbacks, "Unrecognized Callback \""
 + callbacks.getClass().getName() + "\"");
 }
 }
 }
 }


 public LoginFilterLoginContext
 (String applicationPolicy, String userName, String password) throws
 LoginException {
 super(applicationPolicy, new CBH(userName, password));
 }
 }


 /** The WLS security class. Indicates if WLS security is used. */
 private Class wlsSec = null;

 /** The context used for the login and logout operations */
 private LoginContext loginContext;

 /**
 * Initialize the filter.
 *
 * @param filterConfig the filter configuration information
 * @throws ServletException if the login context cannot be created
 */
 public void init(FilterConfig filterConfig) throws ServletException {
 // first, find out if we have WLS security
 try {
 wlsSec = Thread.currentThread().getContextClassLoader()
 .loadClass("weblogic.security.Security");
 } catch (ClassNotFoundException e) {
 // OK, not WLS client
 logger.debug("No WLS security class, not using WLS security");
 }

 // now get the parameters
 applicationPolicy
 = filterConfig.getInitParameter("ApplicationPolicy");
 if (applicationPolicy == null) {
 applicationPolicy = "client-login";
 }
 }

 /**
 * Do nothing.
 */
 public void destroy() {}

 /**
 * Perform a login, call the next filter on the filter chain and
 * perform a logout.
 *
 * @param request the request
 * @param response the response
 * @param chain the filter chain
 * @throws IOException IOException
 * @throws ServletException ServletException
 */
 public void doFilter
 (ServletRequest request, ServletResponse response,
 FilterChain chain) throws IOException, ServletException {

 HttpServletRequest req = ((HttpServletRequest) (request));
 String userName = req.getParameter("username");
 String password = req.getParameter("password");
 if (logger.isDebugEnabled()) {
 logger.debug("Configured to use application policy \""
 + applicationPolicy + "\", user name \""
 + userName + "\" and "
 + (password == null ? " no password."
 : "a (non-disclosed) password."));
 }
 System.out.println("Username: " + userName + " password: " + password +
 " applicationPolicy: " + applicationPolicy);
 // finally, create login context
 try {
 loginContext = new LoginFilterLoginContext
 (applicationPolicy, userName, password);
 } catch (LoginException e) {
 throw new ServletException
 ("Cannot create LoginContext: " + e.getMessage(), e);
 }
 try {
 loginContext.login();
 System.out.println("Login in LoginFilter ok");
 Subject subject = loginContext.getSubject();
 Set principals = subject.getPrincipals();
 Principal princ = null;
 for (Iterator prinIter = principals.iterator(); prinIter.hasNext(); ) {

 princ = ((Principal) (prinIter.next()));
 System.out.println(" Nome principal in LoginFilter: " +
 princ.getName() + " ed è in ruolo? " +
 req.isUserInRole("StaffManagementRole_0"));
 }
 } catch (LoginException e) {
 throw new ServletException("Cannot login: " + e.getMessage(), e);
 }
 try {
 if (wlsSec != null) {
 // Use WLS security. Use reflection to avoid code
 // dependency on WLS
 try {
 Class[] ats = new Class[] {Subject.class, PrivilegedAction.class};
 Method m = wlsSec.getMethod("runAs", ats);
 final FilterChain chainArg = chain;
 final ServletRequest reqArg = request;
 final ServletResponse resArg = response;
 Object[] args = new Object[] {
 loginContext.getSubject(),
 new PrivilegedExceptionAction() {
 public Object run() throws Exception {
 chainArg.doFilter(reqArg, resArg);
 return null;
 }
 }
 } ;
 m.invoke(null, args);
 } catch (NoSuchMethodException e) {
 logger.error(e.getMessage(), e);
 throw new IllegalStateException(e.getMessage());
 } catch (SecurityException e) {
 logger.error(e.getMessage(), e);
 throw new IllegalStateException(e.getMessage());
 } catch (IllegalAccessException e) {
 logger.error(e.getMessage(), e);
 throw new IllegalStateException(e.getMessage());
 } catch (InvocationTargetException e) {
 if (e.getTargetException()
 instanceof PrivilegedActionException) {
 PrivilegedActionException pe
 = (PrivilegedActionException) e.
 getTargetException();
 if (pe.getException() instanceof IOException) {
 throw (IOException) pe.getException();
 }
 if (pe.getException() instanceof ServletException) {
 throw (ServletException) pe.getException();
 }
 }
 logger.error(e.getMessage(), e);
 throw new IllegalStateException(e.getMessage());
 }
 } else {
 // Use JBoss security.
 chain.doFilter(request, response);
 }
 } finally {
 try {
 loginContext.logout();
 } catch (LoginException e) {
 throw new ServletException
 ("Cannot logout: " + e.getMessage(), e);
 }
 }
 }
 }

17:54:50,801 INFO [STDOUT] Username: ML password: ML applicationPolicy: danetworkflow-ia
17:54:50,841 INFO [STDOUT] Login in LoginFilter ok
17:54:50,841 INFO [STDOUT] Nome principal in LoginFilter: ML ed è in ruolo? false
17:54:50,841 INFO [STDOUT] Nome principal in LoginFilter: CallerPrincipal ed è in ruolo? false
17:54:50,841 INFO [STDOUT] Nome principal in LoginFilter: Roles ed è in ruolo? false
17:54:50,841 INFO [STDOUT] Tento login con username: [ML] e password: [ML] Il principal è nullo? null
17:54:50,951 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[StaffManagementRole_0], principalRoles=null
17:54:50,951 ERROR [LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[StaffManagementRole_0], principalRoles=null
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:83)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
at org.jboss.ejb.StatelessSessionContainer.internalInvokeHome(StatelessSessionContainer.java:319)
at org.jboss.ejb.Container.invoke(Container.java:743)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:61)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:53)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:185)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:97)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:90)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:53)
at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:173)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:85)
at $Proxy233.create(Unknown Source)
.
.
.
.
.

Hi all....again this error i'm becoming crazy... if i use a "client-login" module, i can log, the servlet works and i can call the EJB that shows to me all the processes; now if i want to start a process i click on the link, but again i have the exception principal=null; i post the full stack trace:

10:00:49,841 INFO [STDOUT] Username: ML password: ML applicationPolicy: client-login
10:00:49,851 INFO [STDOUT] Login in LoginFilter ok
10:00:49,851 INFO [STDOUT] ML
10:00:49,851 INFO [STDOUT] Tento login con username: [ML] e password: [ML] Il principal è nullo? null
10:00:50,011 INFO [STDOUT] Setto interr in sessione
10:00:50,011 INFO [STDOUT] Interr settato
10:00:52,825 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=processDefinitionDirectory, interface=REMOTE, requiredRoles=[StaffManagementRole_0], principalRoles=null
10:00:52,825 ERROR [LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=processDefinitionDirectory, interface=REMOTE, requiredRoles=[StaffManagementRole_0], principalRoles=null
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:109)
at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:191)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
at org.jboss.ejb.StatelessSessionContainer.internalInvoke(StatelessSessionContainer.java:331)
at org.jboss.ejb.Container.invoke(Container.java:723)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:61)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:53)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:185)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:97)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:90)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:53)
at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:100)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:85)
at $Proxy117.processDefinitionDirectory(Unknown Source)
at de.danet.an.workflow.ejbs.client.StandardWorkflowService.processDefinitionDirectory(StandardWorkflowService.java:433)
at it.eng.nikko.demo.wf.WorkflowInteraction.startProcess(WorkflowInteraction.java:35)
at org.apache.jsp.startProcess_jsp._jspService(startProcess_jsp.java:53)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:324)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:72)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:275)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)
10:00:52,915 ERROR [Engine] StandardWrapperValve[jsp]: Servlet.service() for servlet jsp threw exception
java.rmi.ServerException: EJBException:; nested exception is:
javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
Insufficient method permissions, principal=null, method=processDefinitionDirectory, interface=REMOTE, requiredRoles=[StaffManagementRole_0], principalRoles=null
at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:347)
at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:195)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
at org.jboss.ejb.StatelessSessionContainer.internalInvoke(StatelessSessionContainer.java:331)
at org.jboss.ejb.Container.invoke(Container.java:723)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:61)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:53)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:185)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:97)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:90)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:53)
at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:100)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:85)
at $Proxy117.processDefinitionDirectory(Unknown Source)
at de.danet.an.workflow.ejbs.client.StandardWorkflowService.processDefinitionDirectory(StandardWorkflowService.java:433)
at it.eng.nikko.demo.wf.WorkflowInteraction.startProcess(WorkflowInteraction.java:35)
at org.apache.jsp.startProcess_jsp._jspService(startProcess_jsp.java:53)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:324)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:72)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:275)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)
Caused by: javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
Insufficient method permissions, principal=null, method=processDefinitionDirectory, interface=REMOTE, requiredRoles=[StaffManagementRole_0], principalRoles=null
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:230)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:109)
at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:191)
... 59 more

10:00:49,841 INFO [STDOUT] Username: ML password: ML applicationPolicy: client-login
10:00:49,851 INFO [STDOUT] Login in LoginFilter ok
10:00:49,851 INFO [STDOUT] ML
10:00:49,851 INFO [STDOUT] Tento login con username: [ML] e password: [ML] Il principal è nullo? null

10:00:49,851 INFO [STDOUT] Tento login con username: [ML] e password: [ML] Il principal è nullo? null

Hi gbrigand; first of all thanks for your answer. I have this jboss-web.xml in my web-app:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
<jboss-web>
<security-domain>java:/jaas/danetworkflow</security-domain> <context-root>demo</context-root>
<ejb-ref>
<ejb-ref-name>ejb/Engine</ejb-ref-name>
<jndi-name>jnp://localhost:1099/WorkflowEngine</jndi-name>
</ejb-ref>
</jboss-web>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>Demo Engineering</display-name>
<description>Semplice demo per l'utilizzo di wfmOpen per Engineering Ingegneria Informatica</description>
<filter>
<filter-name>LoginFilter</filter-name>
<filter-class>it.eng.nikko.demo.web.login.LoginFilter</filter-class>
<init-param>
<param-name>ApplicationPolicy</param-name>
<param-value>client-login</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<servlet-name>dispatcher</servlet-name>
</filter-mapping>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>it.eng.nikko.demo.web.login.Dispatcher</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/dispatcher</url-pattern>
</servlet-mapping>
<security-constraint>
<display-name>Restricted</display-name>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>StaffManagementUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Default</description>
<role-name>StaffManagementUser</role-name>
</security-role>
<ejb-ref>
<description>Mi riferisco al workflow EJB</description>
<ejb-ref-name>ejb/Engine</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>de.danet.an.workflow.ejbs.WorkflowEngineHome</home>
<remote>de.danet.an.workflow.ejbs.WorkflowEngine</remote>
<ejb-link>Engine</ejb-link>
</ejb-ref>
</web-app>

<jboss>

<security-domain>java:/jaas/danetworkflow</security-domain>

<enterprise-beans>

<!--
To add beans that you have deployment descriptor info for, add
a file to your XDoclet merge directory called jboss-beans.xml that contains
the <session></session>, <entity></entity> and <message-driven></message-driven>
markup for those beans.
-->

<entity>
<ejb-name>StaffMemberBean</ejb-name>
<jndi-name>StaffMemberBean</jndi-name>

</entity>
<entity>
<ejb-name>StaffGroupBean</ejb-name>
<jndi-name>StaffGroupBean</jndi-name>

</entity>

<session>
<ejb-name>StaffDirectory</ejb-name>
<jndi-name>de.danet.an.workflow.StaffDirectory</jndi-name>

</session>

</enterprise-beans>

<resource-managers>
<resource-manager res-class="org.jboss.ejb.deployment.JDBCResource">
<res-name>jdbc/StaffMgmt</res-name>
<res-jndi-name>java:/DefaultDS</res-jndi-name>
</resource-manager>
</resource-managers>

</jboss>

HI; one question... are you italian o do you speak italian? If so the next time we can speack into italian because my english is tooo poor.
Well... when i log by calling 'request.getUserPrincipal() the first time i have ML; then the de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule creates a right Princiapl and i go to the Servlet, when i arrive to the servlet i have this principal

Tento login con username: [ML] e password: [ML] Il principal è nullo? null

I'd suggest you to change the debug level of the org.jboss.security.auth.spi package to TRACE. With this you will be able to see more details about whats happening in the Login Module. Would be usefull if you make a followup with it.

Hi; i have added the log4j for the security; this is mi security.log content:

2004-10-29 09:58:43,624,DEBUG,[main],[org.jboss.security.auth.login.XMLLoginConfig],Creating jboss.security:service=XMLLoginConfig
2004-10-29 09:58:43,624,DEBUG,[main],[org.jboss.security.auth.login.XMLLoginConfig],Created jboss.security:service=XMLLoginConfig
2004-10-29 09:58:43,854,DEBUG,[main],[org.jboss.security.auth.login.XMLLoginConfig],Starting jboss.security:service=XMLLoginConfig
2004-10-29 09:58:43,854,DEBUG,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Try loading config as XML, url=file:/C:/jboss-3.2.5/server/default/conf/login-config.xml
2004-10-29 09:58:43,874,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=client-login
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=jbossmq
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=HsqlDbRealm
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=FirebirdDBRealm
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=JmsXARealm
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=jmx-console
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=web-console
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=other
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=danetworkflow
2004-10-29 09:58:43,884,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],Parsing application-policy=danetworkflow-ia
2004-10-29 09:58:43,884,DEBUG,[main],[org.jboss.security.auth.login.XMLLoginConfig],Started jboss.security:service=XMLLoginConfig
2004-10-29 09:58:51,956,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(HsqlDbRealm), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.resource.security.ConfiguredIdentityLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=managedConnectionFactoryName, value=jboss.jca:service=LocalTxCM,name=DefaultDS
name=password, value=
name=userName, value=sa
name=principal, value=sa

2004-10-29 09:58:58,635,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(jbossmq), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=rolesQuery, value=SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
name=principalsQuery, value=SELECT PASSWD FROM JMS_USERS WHERE USERID=?
name=unauthenticatedIdentity, value=guest
name=dsJndiName, value=java:/DefaultDS

2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],initialize
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Saw unauthenticatedIdentity=guest
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],DatabaseServerLoginModule, dsJndiName=java:/DefaultDS
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],principalsQuery=SELECT PASSWD FROM JMS_USERS WHERE USERID=?
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],rolesQuery=SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],login
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Authenticating as unauthenticatedIdentity=guest
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],User 'guest' authenticated, loginOk=true
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],commit, loginOk=true
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Assign user to role guest
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Assign user to role j2ee
2004-10-29 09:58:58,645,TRACE,[main],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Assign user to role john
2004-10-29 09:58:58,986,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(client-login), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.ClientLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2004-10-29 09:58:59,106,TRACE,[main],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(HsqlDbRealm), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.resource.security.ConfiguredIdentityLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=managedConnectionFactoryName, value=jboss.jca:service=LocalTxCM,name=DefaultDS
name=password, value=
name=userName, value=sa
name=principal, value=sa

2004-10-29 09:58:59,677,TRACE,[Thread-16],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(danetworkflow), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.ProxyLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=moduleName, value=de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule
name=daemonPassword, value=Afaik,tiagp.
name=unauthenticatedIdentity, value=nobody
name=daemonUsername, value=daemon
name=dsJndiName, value=java:/DefaultDS

2004-10-29 09:58:59,777,TRACE,[Thread-16],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(JmsXARealm), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.resource.security.ConfiguredIdentityLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=managedConnectionFactoryName, value=jboss.jca:service=TxCM,name=JmsXA
name=password, value=guest
name=userName, value=guest
name=principal, value=guest

2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(jbossmq), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=rolesQuery, value=SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
name=principalsQuery, value=SELECT PASSWD FROM JMS_USERS WHERE USERID=?
name=unauthenticatedIdentity, value=guest
name=dsJndiName, value=java:/DefaultDS

2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],initialize
2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Saw unauthenticatedIdentity=guest
2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],DatabaseServerLoginModule, dsJndiName=java:/DefaultDS
2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],principalsQuery=SELECT PASSWD FROM JMS_USERS WHERE USERID=?
2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],rolesQuery=SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?
2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],login
2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],User 'guest' authenticated, loginOk=true
2004-10-29 09:58:59,787,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],commit, loginOk=true
2004-10-29 09:58:59,797,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Assign user to role guest
2004-10-29 09:58:59,797,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Assign user to role j2ee
2004-10-29 09:58:59,797,TRACE,[Thread-16],[org.jboss.security.auth.spi.DatabaseServerLoginModule],Assign user to role john
2004-10-29 09:59:17,342,TRACE,[http-0.0.0.0-8080-Processor21],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(client-login), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.ClientLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2004-10-29 09:59:18,314,TRACE,[http-0.0.0.0-8080-Processor21],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(danetworkflow), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.ProxyLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=moduleName, value=de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule
name=daemonPassword, value=Afaik,tiagp.
name=unauthenticatedIdentity, value=nobody
name=daemonUsername, value=daemon
name=dsJndiName, value=java:/DefaultDS

2004-10-29 09:59:18,314,TRACE,[http-0.0.0.0-8080-Processor21],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(HsqlDbRealm), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.resource.security.ConfiguredIdentityLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=managedConnectionFactoryName, value=jboss.jca:service=LocalTxCM,name=DefaultDS
name=password, value=
name=userName, value=sa
name=principal, value=sa

2004-10-29 09:59:22,209,TRACE,[http-0.0.0.0-8080-Processor21],[org.jboss.security.auth.login.XMLLoginConfigImpl],getAppConfigurationEntry(danetworkflow), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.ProxyLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=moduleName, value=de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule
name=daemonPassword, value=Afaik,tiagp.
name=unauthenticatedIdentity, value=nobody
name=daemonUsername, value=daemon
name=dsJndiName, value=java:/DefaultDS

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
"-//JBoss//DTD JBOSS Security Config 3.0//EN"
"http://www.jboss.org/j2ee/dtd/security_config.dtd">

<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.

The outline of the application-policy is:
<application-policy name="security-domain-name">
<authentication>
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>

<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</authentication>
</application-policy>

$Revision: 1.6.2.5 $
-->

<policy>
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name = "client-login">
<authentication>
<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
</login-module>
</authentication>
</application-policy>

<!-- Security domain for JBossMQ -->
<application-policy name = "jbossmq">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
</login-module>
</authentication>
</application-policy>

<!-- Security domains for testing new jca framework -->
<application-policy name = "HsqlDbRealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy name = "FirebirdDBRealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sysdba</module-option>
<module-option name = "userName">sysdba</module-option>
<module-option name = "password">masterkey</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy name = "JmsXARealm">
<authentication>
<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
</login-module>
</authentication>
</application-policy>

<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">jmx-console-users.properties</module-option>
<module-option name="rolesProperties">jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>

<!-- A template configuration for the web-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "web-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</authentication>
</application-policy>

<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</authentication>
</application-policy>


<!-- Contenuto del file del workflow:C:\WfmcOpen\wfmopen bin\wfmopen-1.2rc1\lib\login-config.xml.insert -->

<!-- Bind workflow security domain to staffmgmt authentication -->
<application-policy name = "danetworkflow">
<authentication>
<login-module code = "org.jboss.security.auth.spi.ProxyLoginModule"
flag = "required">
<module-option name = "moduleName">de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "daemonUsername">daemon</module-option>
<module-option name = "daemonPassword">Afaik,tiagp.</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Bind workflow security domain to staffmgmt authentication -->
<application-policy name = "danetworkflow-ia">
<authentication>
<login-module code = "org.jboss.security.auth.spi.ProxyLoginModule"
flag = "required">
<module-option name = "moduleName">de.danet.an.staffmgmt.jbossx.StaffMemberLoginModule</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "Principal">StaffManagementRole_0</module-option>
</login-module>
</authentication>
</application-policy>

<!-- Fine contenuto -->

</policy>

Moreover.... but must my login.jsp page action be j_security_check? Can i use filter?; my login.jsp page is:

<html>
<head>
<title>login</title>
</head>
<body bgcolor="#ffffff">
<form method="post" action="dispatcher">
<table>
 <tr>
 <td>
 <p>Username:</p>
 </td>
 <td>
 <input type="text" name="username"/>
 </td>
 </tr>
 <tr>
 <td>
 <p>Password:</p>
 </td>
 <td>
 <input type="text" name="password"/>
 </td>
 </tr>
</table>
<br>
<br>
<input type="submit" name="Submit" value="Submit">
<input type="reset" value="Reset">
</form>
</body>
</html>

<html>
<head>
<title>login</title>
</head>
<body bgcolor="#ffffff">
<form method="post" action='<%= response.encodeURL( "j_security_check" ) %>'>
<table>
 <tr>
 <td>
 <p>Username:</p>
 </td>
 <td>
 <input type="text" name="j_username"/>
 </td>
 </tr>
 <tr>
 <td>
 <p>Password:</p>
 </td>
 <td>
 <input type="text" name="j_password"/>
 </td>
 </tr>
</table>
<br>
<br>
<input type="submit" name="Submit" value="Submit">
<input type="reset" value="Reset">
</form>
</body>
</html>

HTTP Status 400 - Invalid direct reference to form login page

--------------------------------------------------------------------------------

type Status report

message Invalid direct reference to form login page

description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).


--------------------------------------------------------------------------------

Apache Tomcat/5.0.26

Another thing (by hoping that someone answers to me)... if i insert this url patterns: /*... when i do the login with the login.jsp page, i remain always in this page and i have non message form the console; instead if i don't put this URL, at least the first called to the EJB i can do.... when i call it a second time , i have the error prinsipal = null (if i do request.getUserPrincipal() ); instead if i do SecurityAssociation.getPrincipal, i have ML..... is it normal?

Hi; thanks again; yes.. this class is in my classpath because the first time i do the login even if the principal is ML, by using this class i can have StaffManagementRole_0.... i can see the first page that uses the EJB and the EJB is called with no problem; then i have some href that go to another page where the EJB is called... but here the principal is null and i have the exception... i don't understand why.