I believe that if you are doing your own login code in your servlet, it is already too late to get the proper user from the HTTP request object (and it is not getRemoteUser but getUserPrincipal that should be called).
You need to let the web container (tomcat) do the authentication for you in order to get your principal from request.getUserPrincipal.
In order to do that, you need to use basic or form based authentication for your servlet and not do any login context stuff in your servlet code (web container will do that for you).
I think there was a few bug fixes between JBoss 3.2.X and JBoss 4.0 in this area, I advise you to use JBoss 4.0.2.
I understand what you say, however, this application needs a custom login, because its not just a username/password. The user also needs to inform another piece of information, so I cant just use BASIC or FORM-based authentication.
So in order for me achieve this type of authentication and still be able to use the security features that J2EE offers me, I need to use JAAS and create a custom login module and a custom callback handler to do that job. Am I right so far?
Thats what I've been working on, but I cant get it to work. I did everything like the Wiki page tells (and the article on the sticky note in this forum). I can get the LoginContext to call my login-module, but I cant integrate my authentication info with the container. Is there a way to do this or am I really off?
Thanks for your help, and I would appreciate it if someone could point me in the right direction.
For sure, if you do your own JAAS login within the servlet code, the request.getCallerPrincipal will definitely not return your custom principal as you authentication is done too late in the process.
You need to look at the tomcat documentation to create your own realm or something like that in order for you authentication to be performed by the web container (tomcat) prior to handling your request.
Or may be doing it within a Valve or Filter (I think Valve is the way to go) is the way to go, I am not certain.
Another possible option is to look for the possibility of a custom FORM login (not sure if this is possible or not).
In any cases, if your servlets are calling some backend EJBs, you will need to write some "advanced" JBoss code to pass the web container security context down to the EJB container (unless a hook to a custom FORM authentication can take care of this for you, I do not know).
There quite a few posts in the forum suggesting to use the ClientLoginModule at the end of your JAAS stack configuration, but this imply that authentication (or at least going through all the JAAS modules) is performed at each request (which is, I think, not that great).
Sorry for not being able to help more than that but this is where my JBoss knowledge stops.