I've got 2 wars installed in JBoss, one with / context root, and one with /foo context root. The one at / has realm-A in the web.xml and the one at /foo has realm-B in web.xml.

Everything seems to be working fine as far the right servlets are called, and so forth, except that when I call servlets at /foo/XXX it is being authenticated with realm-A instead of realm-B.

In my standalone.xml I have both realm-A and realm-B defined with DatabaseServerLoginModule in the security-domains section.

When I go to a servlet in /foo/XXX it correctly says it is asking for realm-B authentication. However, I have tracing on in JBoss security, and every trace statement says it is testing authentication against realm-A. So if I use a username/password defined in realm-B but not in realm-A, I can't login because it is testing the wrong realm. If I supply a realm-A username/password it lets me access realm-B (wrongly).

Why would the browser say it is asking for a realm-B security ID, and yet JBoss authenticates against realm-A?

I'm using JBoss EAP 6.1.