I've got 2 wars installed in JBoss, one with / context root, and one with /foo context root. The one at / has realm-A in the web.xml and the one at /foo has realm-B in web.xml.
Everything seems to be working fine as far the right servlets are called, and so forth, except that when I call servlets at /foo/XXX it is being authenticated with realm-A instead of realm-B.
In my standalone.xml I have both realm-A and realm-B defined with DatabaseServerLoginModule in the security-domains section.
When I go to a servlet in /foo/XXX it correctly says it is asking for realm-B authentication. However, I have tracing on in JBoss security, and every trace statement says it is testing authentication against realm-A. So if I use a username/password defined in realm-B but not in realm-A, I can't login because it is testing the wrong realm. If I supply a realm-A username/password it lets me access realm-B (wrongly).
Why would the browser say it is asking for a realm-B security ID, and yet JBoss authenticates against realm-A?