Using JAAS container authentication and authorization, I'm getting very strange results. If I request a protected resource (as defined by security-constraints in my web.xml), I am correctly taken to my login page. After entering valid credentials, I pass a FormAuthenticator authentication but appear to fail in the AuthenticatorBase authentication. Below is the logging from my server.log (I've bolded the section that I believe is causing the problem). Any idea my this authenticate fails (especially since FormAuthenticator succeeds)? Note that I'm using a custom LoginModule. I don't believe, however, that is the problem because it works well accessing my EJBs directly.

2005-09-30 07:25:14,776 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] defaultLogin, lc=javax.security.auth.login.LoginContext@1132f26, subject=Subject(8169456).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members)))
2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] updateCache, inputSubject=Subject(8169456).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))), cacheSubject=Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members)))
2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@971e9d[Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))),credential.class=java.lang.String@31664352,expirationTime=1128083092930]
2005-09-30 07:25:14,777 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] End isValid, true
2005-09-30 07:25:14,777 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: woper_testuser01 is authenticated
2005-09-30 07:25:14,778 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
 Principal: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]
 Principal: CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])
 Principal: Roles(members:TascForce(members))
, principal=woper_testuser01
2005-09-30 07:25:14,779 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@971e9d[Subject(27024614).principals=com.tasconline.relationship.RelationshipId@21250486(com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])org.jboss.security.SimpleGroup@32842892(CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]))org.jboss.security.SimpleGroup@32842892(Roles(members:TascForce(members))),credential.class=java.lang.String@31664352,expirationTime=1128083092930]
2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Mapped from input principal: woper_testuser01to: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]
2005-09-30 07:25:14,779 TRACE [org.jboss.security.plugins.JaasSecurityManager.tasconline] getUserRoles, subject: Subject:
 Principal: com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162]
 Principal: CallerPrincipal(members:com.tasconline.relationship.RelationshipId@1f5ba55[id=4310000-0000162])
 Principal: Roles(members:TascForce(members))

2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] End authenticate, principal=GenericPrincipal[4310000-0000162(TascForce,)]
2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Authentication of 'woper_testuser01' was successful
2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Redirecting to original '/tasconline/app/main.faces'
2005-09-30 07:25:14,779 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test ??/tasconline/app/j_security_check
2005-09-30 07:25:14,779 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SessionID: 206E313AE6C29507AFAF738D53B62DA2
2005-09-30 07:25:14,780 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SecurityAssociation.exception: null
2005-09-30 07:25:14,780 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Exit, username: woper_testuser01
2005-09-30 07:25:14,785 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 206E313AE6C29507AFAF738D53B62DA2
2005-09-30 07:25:14,786 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Enter, j_username=null
2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /tasconline/app/main.faces
2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[General Secured Resources]' against GET /app/main.faces --> true
2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[TascForce Secured Resources]' against GET /app/main.faces --> false
2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Provider Secured Resources]' against GET /app/main.faces --> false
2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Client Secured Resources]' against GET /app/main.faces --> false
2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Participant Secured Resources]' against GET /app/main.faces --> false
2005-09-30 07:25:14,786 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2005-09-30 07:25:14,786 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] hasUserDataPermission, p=(javax.security.jacc.WebUserDataPermission /app/main.faces GET)
2005-09-30 07:25:14,787 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] Denied: (javax.security.jacc.WebUserDataPermission /app/main.faces GET)
2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Restore request from session '206E313AE6C29507AFAF738D53B62DA2'
2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Authenticated '4310000-0000162' with type 'FORM'
2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Proceed to restored request
2005-09-30 07:25:14,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2005-09-30 07:25:14,787 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] No active subject found, using
2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] Denied: (javax.security.jacc.WebResourcePermission /app/main.faces GET)
2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.JaccAuthorizationRealm] hasResourcePermission, perm=(javax.security.jacc.WebResourcePermission /app/main.faces GET), allowed=false
2005-09-30 07:25:14,788 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed accessControl() test
2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SessionID: 206E313AE6C29507AFAF738D53B62DA2
2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] SecurityAssociation.exception: null
2005-09-30 07:25:14,788 TRACE [org.jboss.web.tomcat.security.FormAuthValve] Exit, username: null
2005-09-30 07:25:15,045 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1128083115045 sessioncount 0
2005-09-30 07:25:15,045 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0

<?xml version="1.0"?>
<!--
 * Copyright 2004 The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * UPDATED: Marty Hall changed to use .faces suffix,
 * faces-config.xml filename, servlets 2.4,. and extensions filter.
 * See JSF tutorial at http://www.coreservlets.com/.
-->

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
 version="2.4">

 <context-param>
 <param-name>javax.faces.CONFIG_FILES</param-name>
 <param-value>
 /WEB-INF/faces-config.xml
 </param-value>
 <description>
 Comma separated list of URIs of (additional) faces config files.
 (e.g. /WEB-INF/my-config.xml)
 See JSF 1.0 PRD2, 10.3.2
 </description>
 </context-param>

 <context-param>
 <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
 <param-value>client</param-value>
 <description>
 State saving method: "client" or "server" (= default)
 See JSF Specification 2.5.2
 </description>
 </context-param>

 <context-param>
 <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
 <param-value>true</param-value>
 <description>
 This parameter tells MyFaces if javascript code should be allowed in the
 rendered HTML output.
 If javascript is allowed, command_link anchors will have javascript code
 that submits the corresponding form.
 If javascript is not allowed, the state saving info and nested parameters
 will be added as url parameters.
 Default: "true"
 </description>
 </context-param>

 <context-param>
 <param-name>org.apache.myfaces.PRETTY_HTML</param-name>
 <param-value>true</param-value>
 <description>
 If true, rendered HTML code will be formatted, so that it is "human readable".
 i.e. additional line separators and whitespace will be written, that do not
 influence the HTML code.
 Default: "true"
 </description>
 </context-param>

 <context-param>
 <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
 <param-value>false</param-value>
 </context-param>

 <context-param>
 <param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
 <param-value>true</param-value>
 <description>
 If true, a javascript function will be rendered that is able to restore the
 former vertical scroll on every request. Convenient feature if you have pages
 with long lists and you do not want the browser page to always jump to the top
 if you trigger a link or button action that stays on the same page.
 Default: "false"
 </description>
 </context-param>

 <!-- Listener, that does all the startup work (configuration, init). -->
 <listener>
 <listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
 </listener>

 <!-- Faces Servlet
 Marty Hall: changed .jsf back to standard of .faces -->
 <servlet>
 <servlet-name>Faces Servlet</servlet-name>
 <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
 <load-on-startup>1</load-on-startup>
 </servlet>
 <servlet-mapping>
 <servlet-name>Faces Servlet</servlet-name>
 <url-pattern>*.faces</url-pattern>
 </servlet-mapping>

 <!-- Extensions Filter
 Marty Hall: pasted this in from myfaces-examples; it is needed for custom components
 that use JavaScript. Note that url-pattern of filter-mapping must match the
 url-pattern of servlet-mapping above. So, if you change from .faces to .jsf,
 change BOTH url-pattern entries. -->
 <filter>
 <filter-name>extensionsFilter</filter-name>
 <filter-class>org.apache.myfaces.component.html.util.ExtensionsFilter</filter-class>
 <init-param>
 <param-name>uploadMaxFileSize</param-name>
 <param-value>100m</param-value>
 <description>Set the size limit for uploaded files.
 Format: 10 - 10 bytes
 10k - 10 KB
 10m - 10 MB
 1g - 1 GB
 </description>
 </init-param>
 <init-param>
 <param-name>uploadThresholdSize</param-name>
 <param-value>100k</param-value>
 <description>Set the threshold size - files
 below this limit are stored in memory, files above
 this limit are stored on disk.
 Format: 10 - 10 bytes
 10k - 10 KB
 10m - 10 MB
 1g - 1 GB
 </description>
 </init-param>
 </filter>
 <filter-mapping>
 <filter-name>extensionsFilter</filter-name>
 <url-pattern>*.faces</url-pattern>
 </filter-mapping>
 <filter-mapping>
 <filter-name>extensionsFilter</filter-name>
 <url-pattern>/faces/*</url-pattern>
 </filter-mapping>

 <!-- Security Constraint for resources used by all the different
 possible roles -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>General Secured Resources</web-resource-name>
 <url-pattern>/app/main.faces</url-pattern>
 <url-pattern>/app/main.jsp</url-pattern>
 <url-pattern>/app/common/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>TascForce</role-name>
 <role-name>Provider</role-name>
 <role-name>Client</role-name>
 <role-name>Participant</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <!-- Security Constraint for TascForce resources -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>TascForce Secured Resources</web-resource-name>
 <url-pattern>/app/tascforce/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>TascForce</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <!-- Security Constraint for Provider resources -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Provider Secured Resources</web-resource-name>
 <url-pattern>/app/provider/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>TascForce</role-name>
 <role-name>Provider</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <!-- Security Constraint for Client resources -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Client Secured Resources</web-resource-name>
 <url-pattern>/app/client/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>TascForce</role-name>
 <role-name>Provider</role-name>
 <role-name>Client</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <!-- Security Constraint for Participant resources -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>Participant Secured Resources</web-resource-name>
 <url-pattern>/app/participant/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>TascForce</role-name>
 <role-name>Provider</role-name>
 <role-name>Client</role-name>
 <role-name>Participant</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <!-- Login Configuration - lists the type of authentication method
 and the pages used for login -->
 <login-config>
 <auth-method>FORM</auth-method>
 <realm-name>TASCSystem - JAAS</realm-name>
 <form-login-config>
 <form-login-page>/security/login.faces</form-login-page>
 <form-error-page>/security/login-redirect.faces</form-error-page>
 </form-login-config>
 </login-config>

 <!-- Security roles -->
 <!-- TascForce -->
 <security-role>
 <description>TASC Employee</description>
 <role-name>TascForce</role-name>
 </security-role>
 <!-- Provider -->
 <security-role>
 <description>TASC Provider</description>
 <role-name>Provider</role-name>
 </security-role>
 <!-- Client -->
 <security-role>
 <description>TASC Client</description>
 <role-name>Client</role-name>
 </security-role>
 <!-- Participant -->
 <security-role>
 <description>TASC Participant</description>
 <role-name>Participant</role-name>
 </security-role>

 <!-- error page definitions -->
 <!-- system errors -->
 <error-page>
 <exception-type>java.lang.Throwable</exception-type>
 <location>/errors/system-error.faces</location>
 </error-page>

 <!-- Welcome files -->
 <welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
 </welcome-file-list>

</web-app>

<jboss-web>
 <security-domain>java:/jaas/tasconline</security-domain>
</jboss-web>

<Context cookies="true" crossContext="true">
 <Valve className="org.jboss.web.tomcat.security.FormAuthValve"
 includePassword="false"/>
</Context>