Im getting my head around the jbosssx stuff, and its fucking great. Im just wondering whether the key for the DomainInfo cache should be the CallerPrincipal from the authenticated subject or some combination of the Principal and the Credentials, rather than just the Principal. Why??
I have secured the web-content in our app by intercepting each web call (a struts SecureAction) and re-associating principal and credentials in the SecurityAssociation to allow propogation of the identity to jboss. The j_security_check is just too inflexible. We have a multi-war ear and have built a custom jaas login module. Usernames are unique within a war but not unique within the entire application, so we add a statically defined credential different for each war to the credentials, that allows our jaas login module to uniquely identify the user. I then set the CallerPrincipal to the real globally unique id for the user. However the authenticated subject is then stored in the domainCache keyed on the original principal (which is the username). the validateCache call is going to fail continuously for these users since their "Comparable" credentials will always be different. Keying the domainCache on the CallerPrincipal would prevent this.
scott? anyone? what do you think. scott you owe us one since you didnt come to the sydney training :)