From a Java stand-alone client, right? Does it perform a JAAS login using the jboss ClientLoginModule?
No, in the stand-alone app I made I used UsersRolesLoginModule.
Do I have to use ClientLoginModule? why?
Do you have some sample of a java stand-alone client calling a secure EJB??
It's necessary to use Subject.doAs to make the call??
I think I don't understand very well this stuff.
I already solve it! using ClientLoginModule from JAAS
The ClientLoginModule is used to remember
the user/password in a location for later
use by the ejb proxies.
They transport this information to the server
where the authentication occurs.
Look at client/auth.conf for an example JAAS config.
Do you have to perform the client auth even if you have an unchecked method permission for your EJB specified in the deployment descriptor?
I have an ejb jar that has mixed beans-- i.e. some require a security role while others don't. Calling into an EJB method marked as unchecked throws this same exception. But, I can't just whack out the <security-domain> from jboss.xml as all the beans then become unsecured. It seems to be an all or nothing affair JBoss.
If the ejb is going to authenticate the user/password
it must know that information
which means you have to pass it to the server.