Sorry, I got sidetracked and could not respond quick enough. Yes what you have set up is correct and was what I described. Using "client-login" security domain is a better option than modifing "other". And you added "ejb-domain" as I described.
As mentioned before, the login context you have set up can only be used to authenticate/authorizae(A/A) calls to JBoss in the same thread. This works fine in your scenario to allow your servlet to access an EJB. Since web applications are multi-threaded, with threads being reused from pools, this mechanism should not be used to provide (A/A) for users. In such a case, you would need to create this login context/login/logout for every servlet. The best way to provide user A/A is to use container managed authentication as described in chapter 8. enjoy, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3949402#3949402 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3949402 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
