I want Jboss to handle security only for access to web resources (not EJB) but I can't get the SecurityInterceptor to forward to the security domain I have defined (Tomcat 4.01 Jboss 2.4.4)

I have set the following in web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/test/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AutoDiscount</role-name>
</auth-constraint>
</security-constraint>

but haven't set any login-config (i want to have a custom login) - can that work?

I have also set the security-domain in jboss-web.xml and written the server module referenced for this domain in auth.conf

My login page is not protected under this security. When I submit the form of login details I want to forward to a secure area, after authentication. At the moment I get the message:

Cannot perform access control without an authenticated principal

How can I use JBossSX to fire off the login method of my Login module with the form information when I try to access pages restricted by web.xml?