The actual authentication should only happen on the server side (JBoss). So I guess it doesn't make sense to make your custom LoginModule available on the client side.
On the client side, you should only use the org.jboss.security.ClientLoginModule
>>Where should the actual authentication happen - on the client or server side?
The JBoss EJB container (server) checks authentication on every method call. So authentication needs to occur on the server side.
On the client side use the org.jboss.security.ClientLoginModule. This module does not perform authentication, but instead prepares the user principal and credential for use by the JBoss server.
I have also created custom LoginModules for use by the JBoss server. After you write them and test them you declare them in the server login-config.xml.
>>But on the server-side the custom CallbackHandler.handle(.) method is not called.
On the server side do not use any custom CallbackHandler, Principals or Groups with JAAS since the JBoss server uses its own mechanism for handling authentication. Just declare the LoginModules in login-config.xml.
If you are getting specific errors, post them here for analysis. Also read the server log file, because more details are deposited there.
BTW, congratulations on writing your own custom LoginModule -- it is not a trivial exercise.
Thanks to J. Wolfgang Kaltz and Peter O'Connor for help.
I was unaware of the existence of the ClientLoginModule and was considering writing two separate LoginModules one for client-side and one for the server-side (doing the actual authentication)!
Does JAAS work in a similar way with other application servers too?
I will try out your solutions and post the outcome on the forum.
>>Does JAAS work in a similar way with other application servers too?
I'm not sure.
With JBossSx, we again have an example of how the JBoss developers take a perfectly good Sun Java package and twist it around to do something that was not intended. ;-)
It worked! I linked the ClientLoginModule to the security domain on the client side and for JBoss I linked the custom LoginModule to the security domain. As I was using JBoss 2.4.4 with Catalina, I had to set these in the corresponding auth.conf files. Besides this and indicating the security-domain in jboss.xml in the EJB jar, I did not do anything else.
I had to use the customer CallbckHandler when creating a LoginContext. I tired to pass Subject (with Principals and Credentials pre-loaded) to LoginContext as the second parameter but I kept getting a exception that no CallbackHandler was available (most likely thrown by ClientLoginModule?).
Regarding the similarity of this implementation with JAAS implementations in other app. servers, the JAAS specification does not talk of a scenario such as authentication across a EJB client and EJB server running in different JVMs. It has a single JVM focus even though it does talk about passing principal information to other app. servers. If every app. server's JAAS requires significant code change to adapt from other app. server's JAAS implementations, then we do not have a standard authentication mechanism with Java applications that are direct EJB clients.