Hi,

Jboss 4.0.1sp1 seems to have the possibility to authenticate against roles. However this didn't work. Looking at the source code, it seems that you forgot to register the subject with the SecurityAssociation class in the class org.jboss.net.axis.server.JBossAuthenticationHandler. Here is what the validate method becomes if we do so:

/** validates the given principal with the given password */
protected Subject validate(Principal userPrincipal, String passwd) throws AxisFault
{
// build passchars
char[] passChars = passwd != null ? passwd.toCharArray() : null;
// do the validation only if authenticated or validation enforced
Subject subject = null;
if (shouldValidateUnauthenticatedCalls || userPrincipal != NobodyPrincipal.NOBODY_PRINCIPAL)
{
subject = new Subject();
//isValid will setup the subject !
// have to use pointer comparison here, but it�s a singleton, right?
if (!authMgr.isValid(userPrincipal, passChars, subject))
{
throw new AxisFault("Server.Unauthenticated",
org.apache.axis.utils.Messages.getMessage
("cantAuth01",
userPrincipal.getName()),
null, null);
}
SecurityAssociation.setSubject(subject);
}
return subject;
}

I also removed the class associate as it is no more used (this method only authenticate based on the principal and the credential, not the roles I think).

I hope this would help. I do not know if this is the right fixed even if this seems to work (and roles are now working, great!).

Nicolas Leroux
Lunatech Research