If I'm not mistaken (and its quite possible that I am) the tomcat integration is broken in the CVS checkout at the moment.
I have a simple webapp with some security constraints over some static content, configured up to use UsersRolesLoginModule. With the 3.2.1/TC4.1.24 release it works fine, but when I use the version I build from CVS (exact same configuration) it always fails.
Further investigation revealed that JBossSecurityMgrRealm.authenticate is called with the wrong context ClassLoader - it has a Unified class loader instead of the webapp one (java.net.FactoryURLClassLoader) which was used by AbstractWebContainer to link the SecurityManager.
This results in java:comp being empty (which I assume will stop EJB references and a bunch of other things from working, not just security).
Is this just a transitional thing? Should I just use the release bundle for now? Can anyone tell me where to look to fix it? ...