Hi,
the documentation http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/4/html/The_JBoss_Security_Extension_Architecture-How_the_JaasSecurityManager_Uses_JAAS.html makes it clear:
ClientLoginModule: This is the default client side module that simply binds the username and password to the JBoss EJB invocation layer for later authentication on the server. The identity of the client is not authenticated on the client.
http://www.jboss.org/community/docs/DOC-9298If you need to perform client-side authentication of users you would need to configure another login module in addition to the ClientLoginModule.
So in my case the authentication is done when the first SessionBean is accessed via its remote interface. Works perfect.
Caveat: All LoginExceptions (e.g. account expired thrown by the server-side configured LoginModule get lost and a useless EJBAccessException is caught if the authentication fails.
Question: What other mysterious LoginModule is needed so the server-side authentication is triggered when calling LoginContext.login() on the client-side? Is that even possible?
Thanks a lot for any help,
Ron
