Ok thanks. Well I have remove the client login code from the servlet, and I have setup a realm using <security-constraint>. All seems to be working ok except that we use a custom principal.
I have made the change as described ont eh wiki: http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingCustomPrincpalsWith and all seems to work except that JBossSecurityMgrRealm creates an instance of SimplePrincipal which is then propagated to the context of the session beans. So it would appear you have to write a custom realm? There appears to be two approaches to using a custom principal with a realm 1) specify a custom principal in the config for org.apache.catalina.realm.JAASRealm 2) override JBossSecurityMgrRealm: I have tried both approaches to use our custom principal in the realm and neither seem to work correctly: 1) create a new realm of org.apache.catalina.realm.JAASRealm and specify in the realm configuration to use MyPrincipal. However this does not work as because of this bug --> http://jira.jboss.com/jira/browse/JBWEB-36 and please see http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3897413 2) create a new realm which extends org.jboss.web.tomcat.security.JBossSecurityMgrRealm and override the authenticate() method to use an instance of MyPrincipal() instead of SimplePrincipal(), however this does not work as the line of code SecurityAssociationActions.setPrincipalInfo(principal, digest, subject); seems to do some magic to remember the login details, but this is a protected class so you can't do that. So have i got this right? how do you use a custom principal in your realm? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3949846#3949846 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3949846 _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
