Hi everyone & Scott if you're reading this thanks for your excellent article in JavaWorld, it really helped me to get an understanding of the not-so-trivial topic.
As I understand, clients of JBoss (stand-alone or servlets) need to do always the same thing : perform a JAAS login with a configuration of org.jboss.security.ClientLoginModule - this helps to bind the user data to JBoss, and the JBoss server then actually performs authentication using one of the "real" JBoss LoginModules or a custom one. At least, this seems to be the preferred way of doing things.
As I tried to explain to our servlet programmer (Cocoon actually, to be precise) the steps he had to do to be able to call a (secured) EJB, it occurred to me that it is a lot of work for doing always the same thing, that is to trigger the execution of the JBoss ClientLoginModule. So I developed my own implementation of javax.security.auth.login.Configuration to contain just this one JBoss client configuration, and wrapped all the login stuff in a JBossClient class, so a developer of servlets (or whatever) which call JBoss EJB's just needs to use this one class, and doesn't need any auth.conf file and Jaas code.
Does this seem like a reasonable way of doing things ? Might this actually be useful as a JBoss client-side plugin in the jboss-jaas.jar, for accelerating client development ?
If anybody thinks this might be useful, I'll be glad to post or mail the code.
If you use the JBoss/Tomcat bundle servlet authors don't have to do anything. The bundle includes a tomcat request interceptor that automatically integrates with the JBossSX framework based on the
jboss-web.xml/security-domain setting. The JavaWorld article demonstrates this since the SecureEJBServlet has no JAAS code.