I'm upgrading from version 4.2.3 to 5.1.0 and I'm having trouble getting SSL client authentication and JAAS to work correctly.

My session beans are annotated as:

{code:java}
@Stateless
@SecurityDomain("ClientCertDomain")
@WebContext(
  transportGuarantee = "CONFIDENTIAL",
  authMethod = "CLIENT-CERT"
)
{code}

My login-config.xml contains the following entry:

{code:xml}
  <application-policy name="ClientCertDomain">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.DatabaseCertLoginModule"
                    flag="sufficient">
        <module-option name="securityDomain">ClientCertDomain</module-option>
        .....
      </login-module>
    </authentication>
  </application-policy>
{code}

Invocations of the web service fail with: faultString: (401)Unauthorized

The logs indicate that the security domain specified in the stateless session bean is "".

{noformat}Application Policy not obtained for domain=. Trying to obtain the App policy for the default domain of the layer:WEB{noformat}

However, I cannot get the workaround to work.

Is the best course of action to attempt to update the jars in the JBoss 5.1.0 distribution?

Or is there another/better way to configure client cert based authorization?

(We can't use WS-Security yet, our clients don't support it.)