Just discover that subject-basd policy won't work for JBoss 3.0.4 with Sun JDK 1.3. With the JVM option "-Djava.security.auth.policy=jaas.policy", JBoss gives the following exception when JAAS subject based policy is first triggered. After examine the source code, found out the problem.

Inside the stand-alone jaas.jar javax.security.auth.Policy.java, it is using "ClassLoader.getSystemClassLoader();" as classloader to load the default Policy implementation (com.sun.security.auth.PolicyFile). While this classloader obviously is the system boot classloader, which does not have jaas.jar in its classpath. I can try to move jaas.jar together with all my own LoginModule classes to system classpath, but it may break many things.

For JDK 1.4, the JAAS implementation is shipped within, while the Policy.java is changed to use "Thread.currentThread().getContextClassLoader(); ", which is exactly the correctly one to use.


java.lang.SecurityException: unable to instantiate Subject-based policy
at javax.security.auth.Policy.getPolicyNoCheck(Policy.java:241)
at javax.security.auth.Policy.getPolicy(Policy.java:198)
at javax.security.auth.SubjectDomainCombiner.(SubjectDomainCombiner.java:72)
at javax.security.auth.Subject$2.run(Subject.java:515)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.createContext(Subject.java:508)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:436)
at org.apache.jsp.index$jsp._jspService(index$jsp.java:105)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:201)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:381)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:473)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:366)
at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler.java:293)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:581)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1687)
at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.java:544)
at org.mortbay.http.HttpContext.handle(HttpContext.java:1637)
at org.mortbay.http.HttpServer.service(HttpServer.java:875)
at org.jboss.jetty.Jetty.service(Jetty.java:543)
at org.mortbay.http.HttpConnection.service(HttpConnection.java:806)
at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:956)
at org.mortbay.http.HttpConnection.handle(HttpConnection.java:823)
at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:203)
at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:290)
at org.mortbay.util.ThreadPool$JobRunner.run(ThreadPool.java:743)
at java.lang.Thread.run(Thread.java:479)