I have made the JAAS authentication works with JBoss 2.4.10 by checking the user's principal against users.properties / roles.properties / my-client.properties
My EJB's meta-inf, jboss.xml file contains below :-
It works only if I deployed the EJB directly into the deploy folder. When I login with invalid user id or password, JBoss server will invoke securityexception error
BUT if I start JBoss from command prompt with the previous EJB already loaded in deploy folder, then
JBoss no longer authenticate against the user-id and password, even wrong id and/or password allows the client to invoke the bean. Why?