I am using jboss-as-7.1.0.Final-SNAPSHOT and trying to set up custom login module that uses a database.  I followed the instructions in the AS7 documentation to configure a new security domain in standalone.xml and security-domain in jboss-security.xml and security-constraint in web.xml and I set JBoss' logging to TRACE so I can see that my custom login module methods are being invoked (login(), authenticate()).  But injected managed beans and EntityManager references are null.

Taking a look at https://community.jboss.org/wiki/JBossAS7SecurityDomainModel, which says:

"Just write the FQCN in the code attribute and it should work out of the box."

"To place the custom login module class files, you can place them in a jar and put it either:

• application classpath of your web archive (war) or ejb jar or enterprise archive (ear)  OR
• separate module under the modules directory."

Does this mean that my custom login module can be a stateful ejb?  I don't want to use manual transaction demarcation.  I am configuring my login module as stateful ejb and when I deploy, the EntityManager does not appear to be injected; I get NullPointerException.  Any managed beans that I try to inject are also null.

I took a look at org.jboss.security.auth.spi.DatabaseServerLoginModule (see attached) to see how database access is handled there.  DataSource lookup is via InitialContext e.g.

InitialContext ctx = new InitialContext();

DataSource ds = (DataSource) ctx.lookup(dsJndiName);

conn = ds.getConnection();

I don't want to write my custom login module this way.  Can I use stateful ejb?