Hi,

I want to use a Single Sign-On method to log in my application (to access my protected resource) using JBoss 4.0. How this is works? The user logs in an application (not mine). Then he wants to access my application without entering (again) its credentials. So its application sends to my application an encrypted assertion (like SAML as a parameter to the HTTP request or using SOAP over HTTP).

So how can I (my LoginModule) get this information, this assertion? (Without using a filter, if possible. I want to use the security-constraint and login-config elements.)

And how my LoginModule can be called without using a auth-method? When I set NONE as auth-method, I have the HTTP 403 error before my LoginModule is called. This error is: Cannot perform access control without an authenticated principal.

This is my web-security.xml configuration:

<!-- Security settings -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
Declarative security tests
<url-pattern>/myApplication/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>NONE</auth-method>
<realm-name>realmSSO</realm-name>
</login-config>

Thanx a lot!