Are you sure you're login is on the same thread
as the ejb access?
For easier access look at org.jboss.security.SecurityAssociation it has
a ThreadLocal for the security information.
Yor Swing client probably uses the JVM wide
configuration of this class.
Depending on how the MBean is invoked, you might
want to save the previous information and restore it
after the EJB invocation?
I am absolutely sure I am logging in from the same thread as where I am accessing the EJBs from. From my MBean I have started 1 thread which does both the logging in and the EJB access (as this is premature code all of this even happens in the same method, the run() method).
I will look into the Class you are mentioning.
A call to SecurityAssociation.getPrincipal() returns null both before and after the login… any ideas?
Problem solved! As written in earlier posts I tried to use my own JAAS login module configuration "myDomain" for the MBean login. This is NOT in accordance with page 276 of the JBossBook_30x (see below... "the only supported mechanism").
Solution: I simply switched from "myDomain" to "client-login" when creating my LoginContext.
However, I am curious why my original solution is not allowed by JBoss? is that a bug or a feature? - I must admit that the JBoss way works, so no problem there... still, why cannot I use my own login module configuration which carries out _real_ authentication rather than just setting the Principal (as the client-login module configuration does).
Extract from JBossBook_30x:
The ClientLoginModule is an implementation of LoginModule for use by JBoss clients for the estab-lishment of the caller identity and credentials. This simply sets the org.jboss.security.SecurityAssoci-ation.principal to the value of the NameCallback filled in by the CallbackHandler, and the org.jboss.security.SecurityAssociation.credential to the value of the PasswordCallback filled in by the CallbackHandler. This is the only supported mechanism for a client to establish the current thread's caller.
The ClientLoginModule does NO Authentication.
It is a device to associate the thread with the security
The Authentication is done during the ejb invocation
using information established by the ClientLoginModule.
You can configure your own policy in login-config.xml
that has multiple login modules. This would allow you
to do real authentication up-front in the MBean.
Just make sure the ClientLoginModule is at the end of the
chain so that the thread is associated with the
principal/credential for later re-authentication by the
Thanks, Adrain. That is a really good idea - I will do that. I really would prefer having a full up front authentication rather than just setting the credentials - it is often better to choose fail-fast solutions.
However, instead of chaining modules, I guess I could just do the credential propagation and then invoke an EJB method to provoke authentication failure.
I need to try out these options.