I quite like to share the security domain of the portal with a servlet which is in the same application context as my portlets. (The task of the servlet is to generate some images on-the-fly, but it needs to know the security context as only authenticated and authorized users are allowed to view the generated images).

Looking at the description in http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss I tried the following steps:

1. I moved the portal security domain from the login configuration for the portal (JBOSS_HOME/default/deploy/jboss-portal.sar/conf/data/login-config.xml) to the JBoss AS login configuration JBOSS_HOME/default/conf/login-config.xml).

<application-policy name="portal">
 <authentication>
 <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
 <module-option name="unauthenticatedIdentity">guest</module-option>
 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
 <module-option name="additionalRole">Authenticated</module-option>
 <module-option name="password-stacking">useFirstPass</module-option>
 </login-module>

 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >

 <!-- my ldap configuration -->

 </login-module>
 </authentication>
</application-policy>

2. Configured the web.xml in my application context to secure my servlet

<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>

 <servlet>
 <servlet-name>test</servlet-name>
 <display-name>test</display-name>
 <servlet-class>TestServlet</servlet-class>
 </servlet>

 <servlet-mapping>
 <servlet-name>test</servlet-name>
 <url-pattern>/test</url-pattern>
 </servlet-mapping>


 <security-constraint>
 <web-resource-collection>
 <web-resource-name>test</web-resource-name>
 <url-pattern>/test</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>myrole</role-name>
 </auth-constraint>
 </security-constraint>

 <security-role>
 <role-name>myrole</role-name>
 </security-role>
 <security-role>
</web-app>

3. Configured the jboss-web.xml in my application context to point the portal security domain

<jboss-web>
 <security-domain>java:jaas/portal</security-domain>
</jboss-web>

The view.jsp of my portlet references the servlet

<%@ taglib uri="http://java.sun.com/portlet" prefix="portlet"%>
<%@ page isELIgnored="false"%>

<portlet:defineObjects />
<p>Test Portlet Servlet Interaction</p>
<iframe src=?my-web-app/test? />

The servlet currently prints out the remote user name (request. getRemoteUser()) and test if the user is in role ?myrole? (request.isUserInRole(?myrole?))

With the security constraint in place I get an HTTP Status 403 - Access to the requested resource has been denied in my iframe. If I remove the security constraint that the ouput in my iframe tells me that the remote user is null and returns false for reques.isUserInRole(?myrole?).

Is it possible that a serlvet shares the same security domain as my portlets? If yes, what am I doing wrong?

Thanks,

Anette