I've noticed that the login-config.xml in the Portal indicates a (new?) LoginModule (org.jboss.portal.core.security.jaas.IdentityPropagationLoginModule) that appears to take the place of ClientLoginModule for propogation.
Is this assumption correct?
I have tried using both but am getting different errors with each.
The IdentityPropogationLoginModule fails when initializing our Portlet with a NullPointerException (I believe because our Portlet calls EJBCreate on a session bean, and there is no logged in user yet... the ejbCreate method is set as unchecked=true, but this hasn't helped; I've been pouring over docs looking at the intricacies / conflicts of dealing with roles, groups, etc - our LoginModule worked great until we started to place our apps under a security domain - it might still be working great, but now I'm not so sure ;).
The ClientLoginModule fails with this security notice:
09:11:05,713 INFO [STDOUT] Caused by: java.lang.SecurityException: Insufficient method permissions, principal=[roles=[Authenticated],principal=anonymous], ejbName=UserManagement, method=getRootUsers, interface=REMOTE, requiredRoles=[Authenticated], principalRoles=null
Note that the principal is flagged with an Authenticated role, but principalRoles is null... I think that is what's causing our problem there.
Which way should I pursue? Should I even track down the problems with ClientLoginModule or should I chase down what's going on with the IdentityPropagationLoginModule?