We are currently migrating a project to JBoss AS 7.1 and refactore a WebApplication to make use of the new ServletAPI 3.0.
Just as additonal Information we furthermore use a custom loginmodule for authentication.
In this context I faced the issue that the Implementation in JBoss does not behave like I had expected in the case of login failure.
I wanted to use ServletAPI 3.0 login() method on HttpServletRequest to authenticate programmatically from withinh the application. This login method declares to throw a ServletException for failed authentication attempts.
ServletExpetion in turn is declared to contain the original exception as root cause in ServletApi 3.0 Spec Section 9.5 (Error Handling).
As a result I would have expected the ServletExcpetion thrown as a result of failed login contains the original LoginException that is thrown by a LoginModule.
But this is not the case.
I debugged some code and discovered that JBossCachedAuthenticationManager catches the Exception and puts it in a helper context named SecurityContextAssociation.
From my current perspective I would say this is a bug cause it breaks the servlet api contract.