Since it's my first post, I'd like to say "Hello everybody".
Currently I'm migrating from JBoss 4.2.3 to JBoss 5.1.0 and I met problem with authentication. I have spent more than a week trying to solve it without result, so I decided to write here.
I have application that uses JAAS to authentication. On server side there's custom module that extends UsernamePasswordLoginModule, there's also application's policy in login-config.xml that has defined this login-module.
Standalone client uses ClientLoginModule, it uses this configuration: clientJaas { org.jboss.security.ClientLoginModule required; };
Client is doing:
LoginContext loginCtx = new LoginContext("clientJaas", someHandler);
loginCtx.login();
Subject subject = loginCtx.getSubject();
subject.doAs(...) ;
I copied application policy from 4.2.3, I upgraded client libraries using JBoss client directory.
When I use my client app with JBoss 4.2.3, everything works fine, but problem appears when using JBoss 5.1.0. After starting client application, the first action is authenticated (also in log I can see my principal). But my second action always ends with 'Invalid User' exception. When tracing JBoss logs, I can see that this time it's null-principal (and exception is thrown in UserNamePasswordLoginModule)! When using JBoss 4 there is always correct principal in log.
I'm really confused.. I heard about losing credentials because of bug in messaging, but installing HornetQ didn't help.
I read security FAQ and I have a question: does using 'doAs' and LoginContext instead of SecurityClient still work? Or maybe there's another required step that slipped my mind?
Please help me, I started losing my hair trying to find out what's wrong.
Best regards,
K.Cz.