This should work with the CallerIdentityLoginModule (from the connector module). You need an additional login module for each ManagedConnectionFactory beyond the applications' login module because the PasswordCredential has to include the managedConnectionFactory it is intended for.
Can you verify that the LDAP login module is actually including the credentials in the Subject it creates?
I haven't actually tested the CallerIdentityLoginModule so if there are problems please speak up.
Can you supply any details on how I should configure the CallerIdentityLoginModule? I'm assuming I configure this in my deployed service.xml file? I've configured the LDAP login module in server/default/conf/login-config.xml.
I haven't been able to verify the subject contains credentials. By the time my connector gets the subject it appears not to.
The configuration for any login module should go in login-config.xml. (There is supposed to be a way to hot deploy them but I don't know what it is.) There are some examples for ConfiguredIdentityLoginModule there. You need to supply a Realm name that matches the security domain name in the *-service/ds.xml file and also the object name of the connection manager mbean for your datasource. As I recall you can also supply a default user/pw in case there is no security context(???).
What should happen if it is working is that the CallerIdentity login module supplies a subject with a single credential, that being a PasswordCredential with the user/pw and managed connection factory. Without one of the jca login modules, there will be no PasswordCredential for your adapter to use.
Brilliant! That worked great. Thanks for the help.
One thing I noticed (I'm using CallerIdentityLoginModule) with my JCA adapter is that it always uses the default username/password.
Looking through the code, the SecurityAssociation.getPrincipal() and SecurityAssociation.getCredential() always come back null.
How do I get to propagate the user subject that logged in?
Ah, it seems I had a bad configuration. Once I fixed that, the username/password is coming through nicely.