Hello,

I'm trying to develop a web based system where tomcat is deployed in the DMZ with a JBoss app server running behind a firewall. Clients authenticates themselves to the web tier using a client certificate.

I'm trying to find a way to use a JAAS login module inside the App server to authenticate the users logging in via the web. I was hoping I could configure the system so that tomcat could authenticate users based on the configuration inside the JBoss app server and that this user principle would be automatically availble to the servlets when they make calls back into the JBoss app server.

I was looking at using ClientLoginModule within the JAASRealm in tomcat but it seems that because ClientLoginModule is thread-specific this is a problem - I've seen posts describing user credentials 'leaking' into other web sessions because the same tomcat thread is re-used.

Other thoughts were to develop a tomcat valve that does this but that seems harder.

Any comments on a general direction on how to proceed or where to look would be very helpful.

Should I give up and just run tomcat inside jboss behind the firewall?