Hi,

I've just realized with the help of  TRACE/DEBUG that instead of taking the application policy as defined in  the login-config.xml, namely

<application-policy name="myWebApp">
       <authentication>

          <login-module  code="org.jboss.security.auth.spi.LdapLoginModule">

            ...

       </login-module>

   </application-policy-name>

when trying to login on my EJB Webapplication,  always the default  configuration by any security domain that does not  have an

application-policy entry with a matching name as defined  by default in the login-config.xml of JBoss 5.1.0.GA is used. And  because this default  should not be used of course no properties file  for this is defined. Uncommenting or deleting the default configuration  from the login-config.xml does not solve the problem, because my  application-policy for my security domain "myWebApp" is ignored.

I don't  understand why this happpens. I've believed the security domain  "myWebApp" for the context-root "myWebApp" is correct, but most probably  not. I'll give the content of the according deployment descriptors  below for completness. Maybe somebody sees and knows what might cause  the problem:

My  web.xml looks like:

And the web.xml is:

<?xml version="1.0"   encoding="UTF-8"?>

<web-app version="2.5"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
     <display-name>JAAS</display-name>

     <security-constraint>
        <display-name>myWebApp</display-name>
          <web-resource-collection>
              <web-resource-name>instituteKurz</web-resource-name>
              <url-pattern>/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
           </web-resource-collection>
         <auth-constraint>
              <role-name>*</role-name>
           </auth-constraint>
         <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
           </user-data-constraint>
   </security-constraint>
<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>myWebApp</realm-name>
</login-config>

and  in the jboss-web.xml, I've defined the security domain, namely:

The  jboss-web.xml has the content:

<?xml version="1.0"   encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC
      "-//JBoss//DTD Web Application 5.0//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
     <security-domain>java:/jaas/myWebApp</security-domain>
     <context-root>/myWebApp</context-root>
</jboss-web>

and this is  security domain is also specified in the the jboss.xml:

The  content of the  jboss.xml is:

<?xml version="1.0"   encoding="UTF-8"?>
<jboss>
     <security-domain>myWebApp</security-domain>
</jboss>

Additional  I'm using also the application.xml deployment descriptor which has the  following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE  application
   PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE  Application 1.3//EN"
   "http://java.sun.com/dtd/application_1_3.dtd">
<application>
    <display-name>myWebApp</display-name>
   <module>
       <ejb>myWebApp.jar</ejb>
   </module>
    <module>
      <web>
          <web-uri>myWebApp.war</web-uri>
          <context-root>myWebApp</context-root>
      </web>
    </module>
</application>