I should add that this only occurrs with BASIC authentication. Form based authentication appears to be OK.
Even more info:
Now I'm using Form authentication, since Basic still doesn't work. For a test, I have an 'index.jsp' in my secured directory. I can get authenticated and get to it ok, but I'm seeing some really weird behavior.
The index.jsp references a stylesheet and 2 images in its HTML. For some reason, I appear to be randomly authorized or not authorized for these other files (sometimes one of the images will be blank, or the stylesheet is obviously missing). The odd thing is that hitting refresh comes up with a different combination every time (I've been repeatedly pressing refresh). I'll see messages in the JBoss console saying that my userid is authenticated (at first) and then authorized, with messages about not being authorized because of a missing role -- yet this userid is a member of that role, and must be to even get to this point.
I saw the same random authorization failures. I'm not too familiar with JBoss or Catalina internals, but it looked like the problem was improper propagation of the security data when testing authorization for a user with Catalina-cached authentication.
I worked around this by using a modified org.apache.catalina.authenticator.FormAuthenticator which does not perform the first (principal != null) test in its authenticate() method.
This successfully bypasses Catalina's caching of Principals, instead retrieving them from the JBossSX layer (and its cache) each time. I believe this is necessary to reliably have a properly initialized Subject at authorization time.
I still haven't figured out why it would only fail about 10-20% of the time. My guess is improper sharing of state between threads, but it's hard to tell. Perhaps a JBossSX expert could shed some light on this?
By the way, FormAuthenticator is inexplicably final, so I had to copy-and-paste it. To use your own Authenticator, you need to change org/apache/catalina/startup/Authenticators.properties, which maps authentication modes to Authenticators.
Hmmm...since it's more than just me seeing this, I went ahead and filed a bug report ( http://sourceforge.net/tracker/index.php?func=detail&aid=475156&group_id=22866&atid=376685 ) -- after I filed that I noticed another bug report talking about problems with simultaneous requests (first request goes ok, other requests taking place at the same time fail) So, we might be seeing a weird manifestation of this bug: http://sourceforge.net/tracker/index.php?func=detail&aid=471225&group_id=22866&atid=376685 .
claytonw -- thanks for the pointer...for now, I've gotten BASIC authentication working, and I'm not seeing the same authorization probs. (By the way, I just looked at the jakarta catalina CVS, and it looks ilke they've removed the final protection on that FormAuthenticator class)
Glad that worked for you. I've narrowed the problem down a bit; Tomcat's Principal caching is the problem, but it can be disabled. Catalina's abstract AuthenticatorBase provides a setCache(boolean) method, and calling setCache(false) suffices to cause reauthentication against the JBossSecurityMgrRealm on each visit without needing to modify the authenticators themselves. I've added some code to EmbeddedCatalinaServiceSX to do that.
When I get a chance, I'll clean things up and submit patches for that and Ajp13 integration with Apache. Next on my list is Tomcat SingleSignOn support...
I am also trying to extend FormAuthenticator. Not exactly know what to do. Can you post an example of how you derived from FormAuthenticator in a skeleton, with all specific details removed? Also, what else did you change to get it to work, any changes to any of the descriptor files.
Thanks in advance.