You perform the authentication / authorization within the web application environment and not in the ejb application environment. So your principal is only available inside your webserver (tomcat) and not in the ejb application environment.
If you don't want security in your webapplication how do you want to retieve the username/password? In you example you still use a login.jsp which comes from your webapplication I suppose. So why not just use the j_security_check then your Principal is both available in the web and ejb environment. Otherwise take a look at the source code of JBossSecurityMngRealm.java cause this is the realm that couples Tomcat to JBoss. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3841916#3841916 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3841916 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
