Maybe I neat to clarify what the intention is? :)
There is a secure web that requires basic authentication to access. The security domain is X.
There is a serve login module that is responsible to verify that the user trying to access the web has the right role.
In the process of verification the login module uses a session bean that is also in the security domain X to fetch the true username and password and try to match it with the one supplied by the basic auhentication of the web.
Now the login module is called by it self implicitly when it is trying to create the session bean.
In that stage both username and password are null.
The only way round this would be to put the session bean in a different security domain. Is there a reason this can't be done?
I read your question and wanted to ask, are you trying to use the JAAS-based security model provided by JBoss, or are you replacing the JBoss security model with one of your own?
If you are trying to use the JBoss security model, then any method call to an EJB container gets a security check before it is allowed inside the container. So, if a method call is not allowed inside the EJB container without security clearance, then how could a session bean be used for security purposes when it is on the other side of the security wall (inside the EJB container)?
If I am misunderstanding your situation please let me know.
For plain-vanilla JBoss server security, you would write a LoginModule based on the JBoss classes, and then declare it in the server-side auth.conf, along with any necessary options. JBoss will load and use the class as needed.
Anyone having a solution to this? It annoys me much, so I am considering writing a patch to jboss, that gives the loginmodule a role/user.
You can put all of them in the same security domain. ALl you need to do is declare not to check the security for the autnentication session bean using tag in your ejb-jar.xml file.