Hello.

We're using JBoss AS 7 with a custom login module. This login module adds the roles of the user as Principals, wrapped in a own class called RolePrincipal.

The following works fine:

- I'm logging in with request.login(username, password)

- I can check the username with request.getRemoteUser()

- I can check roles with request.isUserInRole(...)

Now I'm trying to get my RolePrincipals in my Web Application (WAR File bundled in an EAR File).

Subject activeSubject = (Subject) javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container");
Set<Principal> principals = activeSubject.getPrincipals();

If I debug the code I can see the right class for the RolePrincipals. But if I check with instanceof I always get false:

for (Principal principal : principals) {
  if (principal instanceof RolePrincipal) {
    System.out.println("role: " + principal.getName());
  } else {
    System.out.println("something else: " + principal.getName());
  }
}

This I caused because the "principal" is loaded by the ModuleClassloader (The JAR file for the LoginModule and RolePrincipal is placed in the JBoss module xyz.security so all applications on the server can use it):

ModuleClassLoader for Module "xyz.security:main" from local module loader @f61190 (finder: local module finder @fb17e5 (roots: C:\dev\jboss-eap-6.1.1\modules,C:\dev\jboss-eap-6.1.1\modules\system\layers\base))

And the "RolePrincipal" in the WAR is from the WAR ClassLoader:

ModuleClassLoader for Module "deployment.test.ear.test.war:main" from Service Module Loader

The RolePrincipal JAR is not included in the WAR File, it is loaded via jboss-deployment-structure.xml as module.

So my questions is:

- Is this a correct way to retrieve the Principals?

- Is there any chance I can get this stuff loaded with the same classloader?

- Any other ideas to solve this?

Thanks,

regards Thomas