Enabling trace gave me more information: > [UsersRolesLoginModule] Bad password for username=null
After playing around a bit, it appears that this is something to do with the redirect happening after the form based authentication succeeds. What I've found is that it works just fine _after_ you've logged in. What appears to happen is that the form-based login succeeds, then tomcat redirects to the original request. That request then fires off a servlet filter which finds it has a remoteUser, grabs the session, and makes a call to an EJB. That call to the EJB apparantly doesn't propagate the security context, as the username is null (as noted above). Also, on the next request, a NEW session is present in the filter and the call to the EJB succeeds. Subsequent to that, everything works just fine. I can't upload the EAR (for commercial reasons), but if I find the time I might create a stripped down version which demonstrates the problem. Shouldn't really be hard though, all you need is a webapp with form-based authentication and a servlet filter which calls a stateless session bean if it has a remoteUser. Set this up to use the "other" security realm and I would expect it to fail like above. The only thing I can find in the tomcat release notes for 5.0.28 which seems even remotely relevant is this: > 30602: Subject is not available during the first call to the servlet which use the > basic authentication (jfarcand) > 29406: Made JAASRealm configurable as to whether it should use the context > ClassLoader or the default ClassLoader by adding a useContextClassLoader boolean > attribute. (yoavs) ... which doesn't really help me much. Do you have any further suggestions as to how I can debug this? Thanks, Daniel View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3849987#3849987 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3849987 ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
