I am using
jboss-as-7.1.0.Final-SNAPSHOT and trying to set up custom login module that uses a database. I followed the instructions in the AS7 documentation to configure a new security domain in standalone.xml, security-domain in jboss-security.xml and security-constraint in web.xml and I set JBoss' logging to TRACE so I can see that my custom login module methods are being successfully invoked (e.g. login(), authenticate()).
I don't want to use manual transaction demarcation in my login module, so it would be great if my login module could be e a stateful ejb.
Taking a look at the JBoss AS7 : Security Domain Model article, which says:
Just write the FQCN in the code attribute and it should work out of the box.
To place the custom login module class files, you can place them in a jar and put it either:
application classpath of your web archive (war) or ejb jar or enterprise archive (ear) OR
separate module under the modules directory.
It looks like the sky's the limit on where I can place my login module, including within the EJB module of my application. Does this mean that my custom login module can be a stateful ejb? I haven't read anything that says, "No." However when I deploy my login module as stateful ejb injected managed beans and injected EntityManager do not appear to be injected; I get NullPointerException when I try to invoke methods on them.
I took a look at org.jboss.security.auth.spi.DatabaseServerLoginModule, which is provided as one of JBoss' default login modules. I wanted to see how database access is handled there. DataSource lookup is via InitialContext e.g.
InitialContext ctx = new InitialContext();
DataSource ds = (DataSource) ctx.lookup(dsJndiName);
conn = ds.getConnection();
and transactions are all handled manually. I don't want to use this approach if possible.
Can I use stateful ejb? Or am I way off base in my approach to this?
The question was answered on JBoss Community as follows:
Custom login module cannot be a stateful ejb because "the respective lifecycles of a stateful EJB and a login module are quite different," and "login modules are created and used for the duration of a single authentication step and then left to be garbage collected."
Custom login module can't use CDI, so one cannot inject a managed bean. One person said that it would be pretty cool if JAAS provided a means to inject a managed bean, and that someone needs to propose an update the JAAS spec. to allow this.