i can´t understand why you implement the Login-funktionality in your LoginAction. As a matter of fact, jboss should do the most work for you. For that you need these steps:
1- You have to secure all of your web-accesses by requiring roles for each servlet/JSP access. You do this in your web.xml: i.e.
<web-resource-name>My App Login</web-resource-name>
2-You define a security domain in your jboss-web.xml
3-For this domain you define a convenient LoginModule in the login-config.xml (jboss/server/default/conf)
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<login-module code="com.anis.MyLoginModule" flag="required"/>
Now the first time a user tries to access a secure resource (JSP/Servlet) the app server uses the defined LoginModule to make the necessary authentitfication, and by success fills the subject with the necessary principals, credentias and roles
Each time you try to call a secure-ejb method the server makes the security check for you.
That all folks !
I hope i could help
thank you for your help!
In fact, What I need is when the user loin ,I can get his some other information except his username and password the determine the data scope he can manage. because in my application some user can execute the same function but the function manage the different data scope. I had test using the DatabaseserverLoginMoudle to implement the login.But I found I can't insert my login in the login process. so I wrote my own login logic,But I found my logincontext can't be accessed by web containber and ejb container.
what can I do? can a custom loginmodule get what I need? maybe somebody has the same experience and give me some help?a good example will be the best!
Thank you in advance! Wish everybody have a good day!