If you read jboss server guide section 18.104.22.168 (http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html#ch8.dabaseserverloginmodule.sect)
, you will see how this module works. To answer your first question. It depends on your database. If your table that stores roles has a column to allow you to group your roles, then you would use that column. One good use of this concept is if a user has different roles for different applications. Thus at login time, you really only want the roles for user in app x. Then your second column of the query could use this value to select only roles for that app.
Please clarify your second question. Do you want your standalone Tomcat to actually defer security to the JBoss container? Or do you just want to use the policy definition?
I would like the tomcat server to refer the auth policy (bound to some jndi name) defined in jboss.
I know that the jndi name is java:/jaas/XXXX making it inaccessible from out side. what could be done?
one idea that i have is to write a login module(JAAS) and make sql query to the datasource same as being used by the jboss authentication policy.
In the past, I may have thought this was possible, but now I do not think there is any means already to do that. I do know that if you could access JBoss's mbean server, you could get the SecurityMangerServiceMBean and defer authentication to it. Sorry, I could not be of more help as I have never tried this. I hope someone else in this forum could add to this.