I am trying to integrate jaas into our application. For our purpose, we have used LDAP for authentication / authorization of the users.

I am trying to chain two login modules as follows:

Entries of interest in the login-config.xml are as follows:

<application-policy name="MySecDomain">

<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>
<login-module code="com.mycom.security.MyLoginModule"
flag="optional">
</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory
</module-option>
<module-option name="java.naming.provider.url">
ldap://localhost:389/</module-option>
<module-option name="java.naming.security.authentication">
simple</module-option>
<module-option name="java.naming.security.principal">
cn=Manager,o=mycom.com</module-option>
<module-option name="java.naming.security.credentials">secret
</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=People,o=mycom.com
</module-option>
<module-option name="rolesCtxDN">o=mycom.com</module-option>
<module-option name="uidAttributeID">uniquemember</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
</login-module>

</application-policy>

I have added the following entry in the jboss-web.xml and jboss.xml :

<security-domain>java:/jaas/MySecDomain</security-domain>

I have created a standalone jar file called mysecurity.jar which contains all the jaas related classes. This is a java jar file which is being referenced both by the web and the ejb components.

I have written two classes which implement the Principal and Group interfaces. However, the content is the same as what is available in the JBoss source code. (Thanks for open Source). This I did to preserve the portability across app servers.

In the login method of my custom login module, I verify the user Id and password by trying to create a directory context from the user id and password. If I succeed, then I try to retrieve the user role information which is later added to the subject (at the time of invocation of the commit method on my custom login module).

However, the problem is that after the commit method is invoked on my custom login module as well as on the ClientLoginModule, if I try to query the SecurityAssociation class to see if the subject has indeed got populated, I find that the following code always returns null for the following code:

Subject subject = SecurityAssociation.getSubject();

Any help would be appreciated.

Thanks in advance.
Sriraman.