I configured my web applications to use Active Directory via LDAP as described here. http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapLoginModule
http://www.developer.com/java/ejb/article.php/3077421

Works great. I can log in, and I can access any jboss applications that have an auth-constraing with a role-name that matches my user's profile (In ldap, the user has attributes 'memberOf' matching the 'role-name' i configured in my web.xml).

So I made a group in Active Directory called 'Application1' and I added the users to the 'Application1' group and they can all log in and use the application successfully.

The problem is, this does not scale. If I make 'Application2' I need to add every single user again. The solution on the Active Directory side is to make another group, one called 'Application Users' and add 'Application 1' and 'Application 2' to that group, as well as all the users.

So this is my problem; I have web.xml files that tells the application to check and make sure the user is a 'memberOf' 'Application1'. The user is only a member of 'Application Users', which in turn is a member of 'Application1'. How can I configure Jboss to recursively look through these memberOf relationships to correctly authorize the user to use my application?

Thanks!