Apparently, the problem is not a failure of the role permission verification, but a problem of a null user authentication. I mean, I set the run-as role in my web.xml, but since I didn't defined any authentication in my web application, the principal was always null.
I imagine the workflow something like this:
1) User authentication
2) role permission
So, if the in step 1) there isn't any user, the role permission verification in 2) will always fail, probably because of this:
java.security.Principal getCallerPrincipal() boolean isCallerInRole(String roleName)
I workaround this by setting a dummy user in login-config.xml for the "other" profile to avoid the null principal:
<authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" > <module-option name = "unauthenticatedIdentity">nobody</module-option> </login-module> </authentication>
So, I would like to ask a new question:
-How can I set a Principal in my servlet code for the JAAS authentication in a programatic way?
If the Principal is null, then I set a dummy Principal, and using the "run-as" element in web.xml, I could solved the problem...
The advantage is avoiding a specific JBOSS configuration, even I'm developing for JBOSS.
You can't. There is no portable spec method for establishing the anonymous caller identity.