Pointer:

http://anoncvs.forge.jboss.com/viewrep/~raw,r=1.3/JBoss/jboss/src/main/org/jboss/security/AuthenticationInterceptor.java

Use the JaasSecurityManager from JNDI/MBeanServer.

http://wiki.jboss.org/wiki/Wiki.jsp?page=JaasSecurityManagerService
http://wiki.jboss.org/wiki/Wiki.jsp?page=JaasSecurityManager

See chapter 8 of the server guide:
http://www.jboss.com/products/jbossas/docs

http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html

http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

Could you post more details on solving the first part of the question? I have reviewed the documentation many times, and I am comfortable in dealing with MBeans, but I don't see how to get a handle to the Realm involved which I think is what is needed.

I know a filter would also work but that really seems like overkill.

I am seriously tempted to just copy the relevant code from here:

http://fisheye5.cenqua.com/browse/~raw,r=1.5/glassfish/appserv-core/src/java/com/sun/web/security/WebProgrammaticLogin.java

but that seems like a pretty ugly hack.

I would be very, very grateful for any suggestions.

After a lot of time spent on this, the issue seems to be Tomcat (or arguably the Servlet specification) more than JBoss. A variant on the JassLoginFilter in the How-To works fine for accessing JBoss resources. Also as mentioned in the FAQ, #21. But there seems to be no straightforward way to log in to the Tomcat container programmatically, it is necessary to use web.xml and j_security_check etc. From what I can see online I'm not alone in my desire to find another way.

It is very nice that WebLogic and Sun provide convenience classes for this purpose. I can see though that doing this is arguably outside the scope of the application server.

At this point, I'm just going to use EJB/POJO security as provided by JBoss, and ignore things like Struts role-based security. Maybe the servlet spec will have this someday. :-)

I'm also running into a lot of problems trying to push my authenticated principal up into the web container (tomcat). I'm using JBoss+JSF+SEAM with ICEfaces and MyFaces as an application stack. Since we are using facelets posting to 'j_security_check' isn't trival because of how JSF works.

I can easily use JAAS to authenticate the EJB/POJO layers, but the web tier is proving resilient to my attempts to install the authenticated subject. I've read the thread, docs, and FAQ and like evsrao and eschulma I cannot find a workable solution.

There has to be a way to push the authenticated Subject into the Tomcat server session but I can't find it.

Unfortunately...I don't think there "has" to be a way, that is the problem. The servlet spec does not require it.

If you use one of Tomcat's authentication methods -- basic, form, etc. -- the credentials carry through very nicely and it is all wonderful. JBoss provides a way from Tomcat -> EJB layer but not vice-versa.

I am using AOP security and after the complexity of getting that running right, I'm very pleased. I think this will do everything needed, one can protect any function with it. You will need a JaasLoginFilter or equivalent for the web layer, plus stuffing username/password into session.

If you absolutely must do it with Tomcat, realize it's a Tomcat issue -- a custom Valve or Realm might work. But I think that would be extremely fragile with respect to upgrades.

I have also the same problem. No one has found any solution?¿
:(

I have opened a feature request in the JIRA for if you found that interesting and you want to vote:
http://jira.jboss.com/jira/browse/JBAS-4164

http://jira.jboss.com/jira/browse/JBAS-4077

You guys rock. :-)

This feature will be available in 4.2.0.GA

I was thinking about ways to adequately test this. For now, after the web authentication in a servlet, I check for two things:
request.getUserPrincipal != null
and
request.isUserInRole(role) == true

Any thoughts on how this can be tested further? (No JSF, struts etc ideas please).

Those two items would do what I need. I assume that getUserPrincipal() returns the same value as getCallerPrincipal()?

I guess you could try playing around with web.xml and see if the authentication allows you to access protected resources.