Hi All!

We are currently migrating a project to JBoss AS 7.1 and refactore a WebApplication to make use of the new ServletAPI 3.0.

Just as additonal Information we furthermore use a custom loginmodule for authentication.

In this context I faced the issue that the Implementation in JBoss does not behave like I had expected in the case of login failure.

I wanted to use ServletAPI 3.0  login() method on HttpServletRequest to authenticate programmatically from withinh the application. This login method declares to throw a ServletException for failed authentication attempts.

ServletExpetion in turn is declared to contain the original exception as root cause in ServletApi 3.0 Spec Section 9.5 (Error Handling).

As a result I would have expected the ServletExcpetion thrown as a result of failed login contains the original LoginException that is thrown by a LoginModule.

But this is not the case.

I debugged some code and discovered that JBossCachedAuthenticationManager catches the Exception and  puts it in a helper context named SecurityContextAssociation.

From my current perspective I would say this is a bug cause it breaks the servlet api contract.

But I am not too sure about this.

So what do you think?

Best regards,

Thomas