I guess I should add that both my ears have different loader-repositories specified via their jboss-app.xml file.
Presumably the second ear has no visibility to the ServerLoginModule due to the scoping then. Enable trace level logging on the security category org.jboss.security (http://www.jboss.org/wiki/Wiki.jsp?page=Logging) to better see what is failing. The sar setting up the shared security domain clearly should not be within a scoped ear.
I have worked out that the following was happening.
- The xxxRealm was being 'found' from with ear2
- The ServerLoginModule for the xxxRealm was then causing an class not found exception (it dynamically loads classes, and the one it required was only in ear1).
- This exception was then being swallowed and the principal=null exception thrown.