Hi,

JBoss3.0.0+Jetty??? (don't see any reference to Jetty version in latest bundle)

I have created a war file to demonstrate a problem(relating to authentication - FORM-BASED or BASIC on jboss+jetty bundle) with which I have spent a lot of time trying to resolve.

The problem is this:

1. unauthenticated user's request is to a secured resource;
2. login form / basic form is presented to user;
3. user logs in successfully i.e. successfully authenticated (req.getRemoteUser(userid) reflects this);
4. same user then requests a non-secured resource and is not recognized as being authenticated(request.getRemoteUser(userid) returns null).
5. same user requests the previous (point 3) resource and is taken directly to the secured resource (i.e. container recognizes or 'remembers' the request as having been authenticated.)

I am interested only in persisting this authentication info on the web engine at this point - I'll get to the ejb container later.

I have to go back to jboss2.4.3+tc4.0 to get the web container to remember a previous authentication (within the same session of course) - however, anything above those two combinations and it just doesn't remember. I have tried more than one login module implementation without it affecting the result (DatabaseServerLoginModule). Also, I have tried deploying the war into a standalone tomcat container(4.0.4) and the container does remember the previous authentication.

I have attached the 'demo-auth-prob.war' file. just drop it into the jboss 3.0.0 deploy directory to deploy it. (If neccessary I can supply the source).

Feel free to try the form-based variation by modifying the archived web.xml (currently commented out). The war is currently configured to utilize the UserRolesLoginModule which I believe will be invoked should the jboss-web.xml security realm not be found in your jboss's login-config.xml.

Cheers
Joe