JBoss JAAS 自定义登录模块

Question

I'm trying to use a custom JAAS authentication module for a web based application hosted on JBoss 5.1.0.GA . So everything seems to be working fine, until the number of users increases and sessions (so it think) start getting mixed.

The reason i'm using the custom JAAS is because of a custom authentication backend and the need to pass back the password for futher usage in the application.

When i call request.getUserPrincipal in servlets i get an object of type SimplePrincipal instead on my custom principal. To get the user i'm using SecurityAssociation.getSubject().getPrincipals() and suspect that at this point i'm getting the incorrect principal.

Whats the correct way to implement a customing login module and retrieving the loggedin Principal on the web layer(Serlets) on JBoss?

EDIT: The problem exists on the EJB layer, https://issues.jboss.org/browse/EJBTHREE-1756

Ref:

1. http://stuffthathappens.com/blog/2008/05/16/writing-a-custom-jaas-loginmodule/
2. http://community.jboss.org/wiki/SecurityJAASLoginModule
3. http://community.jboss.org/message/531986#531986
4. http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html
5. http://community.jboss.org/thread/44388
6. http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/pdf/Security_Guide/JBoss_Enterprise_Application_Platform-5-Security_Guide-en-US.pdf

Answer 1

I couldn't get the LoginModule with my custom principal working. I created a Tomcat valve that encrypts and pushes the password to the HttpSession . Other servlets will retrieve and decrypt the password.