I've implemented a custom login module extending the org.jboss.security.auth.spi.UsernamePasswordLoginModule. I've implemented the methods getUsersPassword and getRoleSets. The authentication process runs well, but the authorization does not. After logon using JAAS I make calls to EJB methods that require security roles, and I get one principal=null on my EBJ SessionContext. I think that this is a propagation problem. In the method getRoleSets I have created one SimpleGroup named Roles and added to it two SimplePrincipals.

Group[] groups = {new SimpleGroup("Roles")};
SimplePrincipal role = new SimplePrincipal("R1");
groups[0].addMember(role);
role = new SimplePrincipal("R2");
groups[0].addMember(role);

In my ejb-jar.xml I have created the secury-role AuthorizedUser, and gave it permission to one method of one EJB

<security-role>
<role-name>AuthorizedUser</role-name>
</security-role>

<method-permission>
<role-name>AuthorizedUser</role-name>
< method >
<ejb-name>FAQSession</ejb-name>
<method-intf>Remote</method-intf>
<method-name>getAllFaqs</method-name>
<method-params></method-params>
< /method >
</method-permission>

I was hopping that I would be forbidden to invoke this method but is executes fine, and it is in this EJB that I get principal=null in the sessionContext, after the authentication process, and after the method getRolesSets invocation by JAAS.

I?m currently using JBoss 3.2.5

Can anyone help me?