I'm running JBoss3.0.0beta, and using org.jboss.security.auth.spi.DatabaseServerLoginModule to perform authentication.
I know authentication succeeds - commit() is called, and returns true. The login module also retrieves the correct roles from the database (I've subclassed DatabaseServerLoginModule and listed the roles to confirm this).
However, when the client then tries to access a secured EJB, an exception is thrown. Extract from JBoss log:
12:28:22,235 INFO [Default] mjhserver.security.LoginBean@15a3a1 setSessionContext()
12:28:22,235 ERROR [SecurityInterceptor] Insufficient method permissions, principal=testuser, method=create, requiredRoles=[mjh], principalRoles=null
...ie it appears that the principal's roles have not been populated (although the principal itself is ok).
I'm at something of a loss - help anyone, please?
The issue was that the roles did not belong to the group 'Roles', which it appears they must.