Last week, I had written a message describing my woes with security respect to Embedded Jetty.
After trying out the embedded Tomcat distribution, I ran into the exact same issue, despite following Dain's instructions on how to reconfigure Tomcat to use the JBoss Security manager.
There are clear indications that other people have been able to get this code to work, so I must be doing something wrong.
In a nutshell, this is what I am doing. We have a servlet which we use to perform remote procedure calls over HTTP. Due to the sensitive nature for some of these calls, they need require authentication/authorization before control can be passed to the beans and the container.
For authenticating the call, we authenticate as per the instructions in the JAAS tutorial using the JBoss ClientLoginModule.
In a non-embedded situation where the servlet is the client, the code works fine. However, in an embedded situation, it does not. We receive the dreaded principal=null problem.
Per this list, I was informed that code needs to be written for Jetty so that this is supported. Should what I'm describing have worked in the embedded Tomcat case?
If so, what am I doing wrong? Has anyone else accomplished something similiar to what I am describing? Do you have any hints?
Any help on this matter would be greatly appreciated.
Thanks,
Han Yuan
