Probably I need to give you some more details.. I need this second login module to authenticate my ws calls. The login from the web site works very well, but if I add my login module to the existing configuration the login modules are called twice, as I told you in my previous message.
I just realized that, if I add a new
<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <policy> <application-policy name = "policy1"> <authentication> <login-module code="org.jboss.security.ClientLoginModule" flag="required"> </login-module> <login-module code = "my.first.login.module" flag = "required"> </login-module> </authentication> </application-policy> <application-policy name = "policy2"> <authentication> <login-module code="my.second.login.module" flag="required"> </login-module> </authentication> </application-policy> </policy>
section in my emp-login-config.xml and include there my login module, it gets called only once. So I found the cause of the problem, but I can't explain why it happens like this.
I have nothing against using another security domain for my WS authentication, but the problem is my EJBs are declared with @SecurityDomain("policy1"); as a consequence, when the WS calls my EJB I'm getting an exception (obvious, I know)
Anybody ? Any idea ?
When I declare my.first.login.module as "sufficient" I am able to access the EJBs, although they are declared with
and I log on using the following code:
LoginContext lc = new LoginContext("policy2", cbHandler); lc.login();
When I'm debugging with Eclipse, it seems my.first.login.module is still touched, although it shouldn't (it's in policy1, not policy2)
Any ideas why ?