Hey all,

I have 2 deployables each with there own security domain: a war which uses form based authentication and authenticates in the "myWeb" security domain, and an ear which authenticates in the "myEjb" security domain. Both are deployed in the same JBoss jvm (for testing purposes - for production they will be deployed into their own JBoss jvm on different servers). I've configured the war to pass the CallerPrincipal when accessing session beans in the ejb by adding the ClientLoginModule (see my configuration listings at the end). The intention is to have the web tier do the initial authentication, passing each user's credentials from the web tier to the app tier as necessary.

The problem is that when I have 2 users logged in trying to access the session beans, either the wrong CallerPrincipal is used in the app tier or I get a "FailedLoginException: Password Incorrect/Password Required". Here are my steps for reproducing the error:

1. Browser 1 - login as user1. Web reports CallerPrincipal as "user1". App reports CallerPrincipal as "user1". Consecutive calls to app tier do not produce any errors.
2. Browser 2 (different box) - login as user2. Web reports CallerPrincipal as "user2". Most of the time the app reports the CallerPrincipal as "user2" but will occationally report "user1". I've noticed that if the "multi-threaded" parameter of the ClientLoginModule is set to false, the app will always see the CallerPrincipal as the last user to login. Consecutive calls to app tier do not produce the FailedLoginException.
3. Browser1 - user1 still logged in - perform action that calls the app tier and receive the FailedLoginException.
4. Browser2 - user2 still logged in - perform action that calls the app tier and receive the FailedLoginException.

I feel like I'm missing something obvious and important and I'm pretty sure this is a common scenerio: using container managed security (ala JAAS) to authenticate/authorize users at an enterprise level. Could someone explain to me what I'm doing wrong/how to resolve this issue? Is there a different approach I should try?

Thanks,

Joe Hindsley

Configuration files follow:

login-config.xml:

 <application-policy name = "myWeb">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="usersProperties">myweb-users.properties</module-option>
 <module-option name="rolesProperties">myweb-roles.properties</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>
 <login-module code = "org.jboss.security.ClientLoginModule"
 flag = "required">
 <module-option name="multi-threaded">true</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>
 </authentication>
 </application-policy>

 <application-policy name = "myEjb">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="usersProperties">myejb-users.properties</module-option>
 <module-option name="rolesProperties">myejb-roles.properties</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>
 </authentication>
 </application-policy>

user1=user1pw
user2=user2pw

user1=webrole
user2=webrole

user1=ejbrole
user2=ejbrole