I'm porting a login system from Jboss 4 to Jboss 5 and having a strange issue. When the login credentials are wrong, everything works fine (no exceptions, login fails), but when the login credentials are correct the user is authenticated fine but then an exception is thrown after the user is authenticated:

java.lang.IllegalStateException: Application Policy is null for the security domain:java:jaas/portal-rsa
 at org.jboss.security.plugins.mapping.JBossMappingManager.getMappingContext(JBossMappingManager.java:74)
 at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:391)
 at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:363)
 at org.jboss.security.plugins.JBossAuthorizationManager.getUserRoles(JBossAuthorizationManager.java:215)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.getUserRoles(JaasSecurityManagerBase.java:457)
 at org.jboss.security.plugins.JaasSecurityManager.getUserRoles(JaasSecurityManager.java:200)
 at org.jboss.web.tomcat.security.JBossWebRealm.getCachingPrincipal(JBossWebRealm.java:662)
 at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:409)
 at org.jboss.web.tomcat.security.login.WebAuthentication.login(WebAuthentication.java:93)
 at com.prod.portal.mvc.servlet.AuthenticateServlet.doPost(AuthenticateServlet.java:86)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630)
 at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
 at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
 at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
 at com.prod.portal.mvc.servlet.PortalLoginServlet.doGet(PortalLoginServlet.java:18)
 at com.prod.portal.mvc.servlet.PortalLoginServlet.doPost(PortalLoginServlet.java:23)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

I don't see how the application policy is possibly null, because the whole thing works great when the credentials are wrong, and I can see my login extension getting called.

Below I have the relevant code and config files.



---------------


jboss-web.xml:

<jboss-web>
 <context-root>prod</context-root>
 <security-domain>java:jaas/portal</security-domain>
</jboss-web>

web.xml:

<!-- snip -->

<servlet>
 <servlet-name>AuthenticateServlet</servlet-name>
 <servlet-class>
 com.prod.portal.mvc.servlet.AuthenticateServlet
 </servlet-class>
</servlet>

<servlet-mapping>
 <servlet-name>login-servlet</servlet-name>
 <url-pattern>/auth/servlet/login</url-pattern>
</servlet-mapping>

<servlet-mapping>
 <servlet-name>AuthenticateServlet</servlet-name>
 <url-pattern>/auth/servlet/AuthenticateServlet</url-pattern>
</servlet-mapping>

<session-config>
 <session-timeout>30</session-timeout>
</session-config>

<security-constraint>
 <web-resource-collection>
 <web-resource-name>MVC Application</web-resource-name>
 <url-pattern>/secure/*</url-pattern>
 <url-pattern>/flex/*</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description>
 Only allow Authenticated_users role
 </description>
 <role-name>authenticatedUser</role-name>
 </auth-constraint>
</security-constraint>

<security-role>
 <role-name>authenticatedUser</role-name>
</security-role>

<login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
 <form-login-page>/public/login.jsp</form-login-page>
 <form-error-page>/public/login.jsp</form-error-page>
 </form-login-config>
</login-config>

<welcome-file-list>
 <welcome-file>auth/servlet/login</welcome-file>
</welcome-file-list>

</web-app>

LDAP Extension Module:

 @Override
 protected void rolesSearch(final InitialLdapContext ctx, final SearchControls constraints, final String user, final String userDN,
 final int recursionMax, final int nesting) throws NamingException {

 _log.debug("in rolesSearch in LDAP extension.");

 Group[] groups;
 try {
 groups = getRoleSets();
 final SimpleGroup sg = (SimpleGroup) groups[0];
 sg.addMember(new SimplePrincipal("authenticatedUser"));
 } catch (final LoginException e) {
 _log.error("Error");
 }
 }
}

login-config.xml:

<policy>
 <application-policy name="portal">
 <authentication>
 <login-module code="com.prod.portal.security.loginmodule.ProdLdapExtLoginModule" flag="required">
 <!-- MODULE OPTIONS SNIPPED -->
 </login-module>
 </authentication>
 </application-policy>
</policy>

Authenticate Servlet:

 @Override
 public void doPost(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {

 String view = null;

 final String uid = request.getParameter("username");
 final String password = request.getParameter("password");

 if (uid == null && password == null && token == null) {
 view = "/public/login.jsp";
 } else {

 WebAuthentication pwl = new WebAuthentication();

 pwl.login(uid, password);

 if(request.getUserPrincipal() == null || !(request.isUserInRole("authenticatedUser"))) {
 view = "/public/login.jsp";
 } else {
 view = "/secure/main.html";

 if (! (onUserLogon(request.getSession(), request))) {
 // Error logging in
 view = "/public/login.jsp";
 }
 }
 }

 final RequestDispatcher rd = request.getSession().getServletContext().getRequestDispatcher(view);
 rd.forward(request, response);
 }