Why the web layer can't see credentials and principals (the security domain is the same)?
Because you have not logged into a security domain (i.e. a JBoss SecurityManger.)
By creating your own LoginContext, and calling login() yourself, you have by passed JBoss' security layer (i.e. container managed security.) Setting the SecurityAssociation.setSubject() is only valid for the thread that the login occured, and is not a recommended why to propagate authenticated subject.
You will need to do customization to Tomcat's security system if you do not want to use Java Servlet spec. defined authentication methods.
Thank's a lot for your reply,
could you suggest a link or some documentation that explain how to extend Tomcat's security system?
With the expression "do customization to Tomcat's security system" do you mean to create a custom Authenticator?
I'm sorry for my questions but I'm quite new to security in JBoss and I'd like to integrate security authentication process using Seam framework and jsf with facelets.
Thank's a lot,
There is not much documentation. Your best source is Tomcat code as well as JBoss wiki at
Also, if you have special security needs, you may want to post them on thread
or if you think your work would be useful to Seam project, you should post on thread
good luck, cgriffith
Thank you very much for your help, I hope to find a good solution that can be useful also for other.
The integration security code is in the tomcat module of the jbossas source tree. Fisheye can been used to browse it online.
The way this should be done in the current architecture is to create an alternate or modified org.jboss.security.ClientLoginModule that propagates the login state to the web container layer.
I'm trying to find a solution reading Seam forum, to check if someone has the same problem. I'm looking also at jboss source code, to see how to modify ClientLoginModule to propagate credential on web container, but at them moment it seems to me not so simple.
Thanks a lot for replies,
I got the same problem.
Roby, did you figure out how to modify ClientLoginModule in order to propgate the credentials?
I didn't find a good solution in modifying ClientLoginModule, so I'm trying to use jpdl and servlet redirection like I've seen in another post.