JAAS Authentication

Similar Messages

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• JAAS authentication with WebLogic 6 - "Invalid Configuration Class Name"

  For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
  package, compiled, and copied it to the right place in the classes directory of the webapp project.
  The class is specified as a parameter in startWebLogic.cmd:
  -Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
  When a servlet attempts to get LoginContext, I get this error:
  "Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
  The class file is definitely in the right place. What's the deal?
  Thanks,
  Rob

  Seems to be a ClassLoader problem. The sample is a client app, so no problem. But if you create
  a Configuration class to run on the server (to set up a LoginModule for authenticating clients)...
  I think what's happening is that the System class loader, using the CLASSPATH in the environment
  of the WebLogic server when it starts, attempts to load the Configuration class and can't (because it
  is in the CLASSPATH of the web app, not of the System class loader). If you add the Configuration
  class to the CLASSPATH of the WebLogic server, then it gets loaded but the LoginModule can't be
  found. If you add the LoginModule to the WebLogic server CLASSPATH, then any classes that it calls
  must also be in the WebLogic server CLASSPATH.
  Could someone from BEA please comment: is that the intention, that any classes used for JAAS
  authentication be part of the server's CLASSPATH, not part of the web application?
  Thanks,
  Rob
  "Rob Weltman" <[email protected]> wrote:
  >
  For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
  package, compiled, and copied it to the right place in the classes directory of the webapp project.
  The class is specified as a parameter in startWebLogic.cmd:
  -Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
  When a servlet attempts to get LoginContext, I get this error:
  "Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
  The class file is definitely in the right place. What's the deal?
  Thanks,
  Rob

• JAAS-authentication and wls-authorization in a webapp

  Hi,
  I am developing a webapp with jsp, servlets and ejbs.
  My question:
  Is it possible to use JAAS-authentication together with wls-authorization in a
  webapp?
  thanks
  /Chriz

  Hi, Office 365 tenants indeed include an Azure AD tenant in the background and you can implement Single Sign-On against that. The authentication scenario for this case is documented
  here. For the code samples (with steps to create them) see the
  samples' Github repository, especially the
  WebApp-WSFederation-DotNet sample. 
  For the SQL database it's a bit different. Azure SQL Database connection can't be authenticated like this - there's no integration to the "domain" accounts there. So you should create one service account for the SQL connection and use that for
  all the traffic in your web app. If you need authorization for accessing certain data in SQL, you have to implement that on your web application side.

• JAAS Authentication Example Error

  I am working with the JAAS Authentication example provided by Sun at the following link:
  http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/index.html
  I am working with Windows NT. I am using a NTLoginModule in my config file. I would like to create a simple Login that uses the current OS's user ID. Once I add the security.manager and a policy file that includes anything besides full permisions (permission java.security.AllPermission;), I get a Security Exception, and more specifically a "java.security.AccessControlException:access denied...".
  I am using the following config:
  JaasConfig {
  com.sun.security.auth.module.NTLoginModule required debug="true";
  I would like to use a policy file that gives permission to a file for the current user. I would like to do something similar to the following, but get the error once this is added....
  grant Principal com.sun.security.auth.NTUserPrincipal "user"
  //Allow everything for now
  //permission java.security.AllPermission;
  permission java.io.FilePermission "ProtectedFile.txt", "read , write";
  What am I doing wrong? Any help is very much appreciated!
  Thanks!

  I got it...my policy file needed more to work in NT. Here is the entire file:
  grant Principal com.sun.security.auth.NTUserPrincipal "s156898"
       permission java.io.FilePermission "ProtectedFile.txt", "read";
  grant {
  //Allow everything for now
  //permission java.security.AllPermission;
       permission javax.security.auth.AuthPermission "createLoginContext.JAASConfig"     permission java.io.FilePermission "ProtectedFile.txt", "read";
       permission javax.security.auth.AuthPermission "modifyPrincipals";
       permission javax.security.auth.AuthPermission "doAsPrivileged";
       permission javax.security.auth.AuthPermission "getSubject";
  However, I am trying to also do my work on a Solaris/Unix machine. I get an error that tells me that only Principal-based entries are allow. Anyone know how to give permission to all users in a Principal statemtent. The same setup as the above, using Unix Principals, will not work. Seems like I have to always have a grant and Principal for every set of permissions.
  Lemme know if you can help. Thanks!

• JAAS Authentication Programmatically

  On Web sphere I have defined a JAAS Authentication Entry with an Alias, Username and Password. There are 2 � 3 applications running on this instance of the server.
  From one of these applications I would like verify the username and password as in �JAAS Authentication Entry� programmatically.
  Is this possible? If so can you please help me with more details like:
  1.     Is there any change needed in the specific application�s web.xml to point at the JAAS security of the server.
  2.     Any specific JAVA API to access JAAS information (configured on server) from a java program.
  Thanks

  Yes - as long as it is serializable.

• Using Identity Server as a JAAS authentication provider

  My client wants to use Identity Server to provide JAAS authentication for the Java application they're developing.
  The JAAS tutorial shows how the name of the Java class that provides the authentication service is provided, then an instance of this class is instantiated and the .login method invoked to actually perform the authentication.
  The stated principle behind the tutorial is one of using a pluggable authentication framework, and one should not care how authentication is performed. As long as the callbacks to allow the authentication framework to ask for the credentials required, it should not matter.
  The example of how to do LDAP authentication using Identity server requires using some identity server classes. ie the com.sun.identity.authentication.AuthContext class. They specifically want to use pure JAAS authentication rather than creating a dependance in their application on Identity Server.
  Is a Java class available which provides this functionality?
  Thanks

  In Apache you can specify the authentication parameters in the virtual host configuration

• Problem with JAAS authentication using jboss client

  I'm trying to make a little compiled application works. It has two parts: a little client(one class) and a server part which runs on a jboss server, and comunicates between them using JAAS + SSL. It works perfectly alone if I run it in a java project, without the messing sap JAAS implementation.
  I followed all the steps in:
  https://websmp101.sap-ag.de/~sapidb/011000358700003517632004E.PDF
  and managed to apply the configuration into the security service of WAS, using <b>jboss-client.jar</b> as the library with the login module, and <b>org.jboss.security.ClientLoginModule</b> as the login module.
  I included the client class into a web service developed for my WAS, packing the class and its library plus jboss-client.jar into my EAR.
  But when it tries to do the authentication, sometimes it uses:
  <b>org.jboss.security.ClientLoginModule</b> (that's the correct class) but throws a "<b>User is locked</b>" exception.
  Have I need to create the user who I use to connect to jboss in my WAS UME ? This has no much sense. Anyway doesn't work either, and the user is not locked.
  Other times (withouth changing anything) it uses:
  <b>com.sap.engine.system.SystemLoginModule</b> and throws this exception:
  <b>com.sap.engine.services.security.exceptions.BaseLoginException</b>: Call logout before login
  I have nightmares trying to integrate things which works in every application server but WAS. Why couldn't they simply follow the standard!?
  I'm thinking in installing a tomcat with the client, and use axis to wrap it with a web service I can consume from my WAS. Not very elegant solution.
  I think it maybe has something to do with specific callback classes from sap implementation.
  Any idea? I can't go forward.

  Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

• JAAS-authentication to external secure system within EJB?

  I would like to write an EJB that accesses an external,
  non-WebLogic system that uses JAAS security. It looks like using
  plain vanilla JAAS client code would break some EJB programming rules.
  I need to pass credentials to this external system
  (private/public keys, etc.) that are on the filesystem.
  I see WL has "Credential Mapping" but couldn't really see how
  I'd use and implement this to authenticate to the external
  system.
  Any advice would be appreciated.
  -Rolf Arands

  one way, which I know that will work, is to run you JAAS code on some container. If authentication works, the code on you container forwards HTTP request to the WAS.
  The WAS must have a Trust association interceptor (TAI), written for you purpose. You container forwards the HTTP request with the authenticated userid in the request. The TAI intercepts the requests and pulls the authenticated userid from the request and returns the userid to the WAS security manager.
  I have created a small presentation that shows how security credentials is propagated to the WebLogic and WAS security managers. It can be found on my site.
  /Bo
  http://appliedcrypto.com

• JAAS Authentication in WLS 7.0

  Hi,
  I have a problem trying to authenticate a user using JAAS in WLS 7.0: in the
  LoginModule I get a java.lang.IllegalAccessError:
  java.security.acl.NotOwnerException when invoke the
  weblogic.security.auth.Authenticate.authenticate(env, subject) method. The
  environment I define as follows:
  env.setProviderUrl("t3://localhost:7001");
  env.setSecurityPrincipal("testuser");
  env.setSecurityCredentials("testpassword");
  where testuser belongs to the group Administrators and I use it successfully
  for starting the server and manipulating the console.
  At the same time I successfully pass authentication as anonymous if I set
  only the provider URL.
  I would be very grateful for any information related to this problem.
  Vladimir

  Vladimir,
  The the first problem you're having here is that you seem to be using a
  depricated API. I can't tell from your description but I believe this API
  was intended for use only within the process space of a t3 client, so check
  your client's java security policy settings.
  Alex
  "Vladimir" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  I have a problem trying to authenticate a user using JAAS in WLS 7.0: inthe
  LoginModule I get a java.lang.IllegalAccessError:
  java.security.acl.NotOwnerException when invoke the
  weblogic.security.auth.Authenticate.authenticate(env, subject) method. The
  environment I define as follows:
  env.setProviderUrl("t3://localhost:7001");
  env.setSecurityPrincipal("testuser");
  env.setSecurityCredentials("testpassword");
  where testuser belongs to the group Administrators and I use itsuccessfully
  for starting the server and manipulating the console.
  At the same time I successfully pass authentication as anonymous if I set
  only the provider URL.
  I would be very grateful for any information related to this problem.
  Vladimir

• Jaas authentication with cutom realm problem

  I'm having this problem, I have a web application made with JSF running on Sun One Application Server 9, and I made a cutom realm with Jaas so that the server will be handeling the authentication and it is working fine. The problem is that i want to load some info into the user's session after that he have been authenticated based on the username. But I have on clue how to do it. so I'll be very thanks full it anybody helped me.

  Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

• JAAS, authentication only, in WLS 6

  I've poured over the newsgroups and the sample client, and nothing matches what I'd
  like to accomplish. What I want to do seems simple enough, but I haven't been able
  to get it to work:
  1. Configure WLS 6 SP1 to use its realms/authentication processes
  2. From within an EJB's method, using JAAS, ask Weblogic if this is a valid user
  (i.e., does this user/psw combination exist in the weblogic-managed realm(s)?).
  That's all I want to do, nothing more, nothing less. I'm getting nowhere and I've
  been at this for 2 days now. My latest incarnation was to specify the ServerPolicy
  in my call to create a login context. This authenticates, all right, but it authenticates
  everyone! My previous incarnation was to grit my teeth and write a login module
  just like in the (client) sample, but then this didn't work either. It replaced
  weblogic's authentication with mine (which I DON'T want) and I couldn't get it to
  "call back" into WLS for it to authenticate for me.
  This doesn't seem too difficult a task to me, but yet, none of the samples are clear,
  none of the environment settings are clear, and none of the books I have (I've looked
  at 2 WLS-specific books and the Sun JAAS site) are clear.
  How might I go about accomplishing this task?
  The current (within EJB) code I'm attempting is:
  // Create a login context and an associated handler for the password...
  LoginContext // Need a (JAAS) login context...
  Ctx = new LoginContext(strJAAS,
  new JAASAuthenticateCallback(strUsername,
  strPassword));
  Ctx.login(); // Perform the login
  // If we get here, the user/password is authenticated.
  Ctx.logout(); // Since we're just authenticating, log out!
  This snippet of code ALWAYS authenticates successfully (no exceptions thrown) regardless
  of what value is used for strJAAS, user ID and password!

  You can copy the JAAS example, implementing your own version of all the
  classes they give, and it will (eventually) work.
  Alternatively, if this is on the server, you can just grab the realm and
  call the appropriate authentication method:
  CachingRealm realm = (CachingRealm)Security.getRealm();
  UserInfo info = new DefaultUserInfoImpl(name, password);
  User user = realm.authenticate(info);
  if (null != user) ...
  (I'm using a caching realm, obviously).
  Two days is pretty optimistic. It's taken me two weeks to get qn SQL-based
  realm and login working (about a week each for the realm and the login)
  (although I'm not programming full time as I have to manage a couple of
  other prgrammers too).
  Good luck,
  Andrew
  "Al Cilcius" <[email protected]> escribió en el mensaje
  news:[email protected]...
  >
  I've poured over the newsgroups and the sample client, and nothing matcheswhat I'd
  like to accomplish. What I want to do seems simple enough, but I haven'tbeen able
  to get it to work:
  1. Configure WLS 6 SP1 to use its realms/authentication processes
  2. From within an EJB's method, using JAAS, ask Weblogic if this is avalid user
  (i.e., does this user/psw combination exist in the weblogic-managedrealm(s)?).
  >
  That's all I want to do, nothing more, nothing less. I'm getting nowhereand I've
  been at this for 2 days now. My latest incarnation was to specify theServerPolicy
  in my call to create a login context. This authenticates, all right, butit authenticates
  everyone! My previous incarnation was to grit my teeth and write a loginmodule
  just like in the (client) sample, but then this didn't work either. Itreplaced
  weblogic's authentication with mine (which I DON'T want) and I couldn'tget it to
  "call back" into WLS for it to authenticate for me.
  This doesn't seem too difficult a task to me, but yet, none of the samplesare clear,
  none of the environment settings are clear, and none of the books I have(I've looked
  at 2 WLS-specific books and the Sun JAAS site) are clear.
  How might I go about accomplishing this task?
  The current (within EJB) code I'm attempting is:
  // Create a login context and an associated handler for the password...
  LoginContext // Need a (JAAS) login context...
  Ctx = new LoginContext(strJAAS,
  new JAASAuthenticateCallback(strUsername,
  strPassword));
  Ctx.login(); // Perform the login
  // If we get here, the user/password is authenticated.
  Ctx.logout(); // Since we're just authenticating, logout!
  >
  This snippet of code ALWAYS authenticates successfully (no exceptionsthrown) regardless
  of what value is used for strJAAS, user ID and password!

• JAAS authentication is not working with IIOP and wlclient.jar

  Hi,
  I'm currently working on a remote client that requires authentication with JAAS.
  The Application server is Weblogic 9.2 MP1.
  The client is deployed with wlclient.jar and the used protocol is iiop.
  I'm also using the default UsernamePasswordLoginModule module for authentication.
  The LoginContext.login goes smoothly but the Principal Set in the obtained Subject object is empty!
  Using the same code with weblogic.jar and t3 protocol the principals are filled(i.e. I can see the groups where the involved user is member).
  Any suggestions ??
  regards,
  Luca

  So, when you execute this, where exactly does it crash/stop, or what is the output you get from those dbms_output lines? Do you know the output of memberOf and are you sure that things will match?

• WlClient.jar & JAAS authentication Issues

  If I run the JAAS example (examples/security/jaas) that comes with
  wl8.1 sp1 but use wlclient.jar instead of weblogic.jar, the
  LoginContext.login() method returns a Subject even if I pass in an
  invalid user/password combination. If weblogic.jar is in the
  classpath, a javax.security.auth.login.LoginException is thrown which
  is what I want to happen for invalid credentials. When running with
  wlclient.jar, the code doesn't fail until it actually attempts to
  access the EJB at which point it gets a org.omg.CORBA.NO_PERMISSION.
  I am trying to use JAAS to login from a swing app and I want to use
  wlclient.jar instead of weblogic.jar, but I need to be able to
  determine whether the login was successful without waiting until I
  access a secured EJB. Why does wlclient.jar behave differently than
  weblogic.jar? How can I determine if my login worked if Weblogic is
  going to return a Subject no matter what username/password I pass in?

  Hi,
  I have a similar problem when using wlclient.jar. I am able to authenticate using
  the UsernamePasswordLoginModule (with authOnLogin true), but I get an error when
  invoking a secured EJB:
       UsernamePasswordLoginModule.initialize(), debug enabled
       UsernamePasswordLoginModule.initialize(), authOnLogin enabled
       UsernamePasswordLoginModule.login(), username weblogic
       UsernamePasswordLoginModule.login(), URL t3://localhost:7001
       Logged in
       Invoking EJB
       java.rmi.AccessException: CORBA NO_PERMISSION 0 Maybe; nested exception is:
            org.omg.CORBA.NO_PERMISSION: vmcid: 0x0 minor code: 0 completed: Maybe
            at com.sun.corba.se.internal.iiop.ShutdownUtilDelegate.mapSystemException(ShutdownUtilDelegate.java:95)
            at javax.rmi.CORBA.Util.mapSystemException(Util.java:65)
  The login is successfull, but I get the org.omg.CORBA.NO_PERMISSION when invoking
  the EJB. If I replace wlclient.jar with weblogic.jar it works fine! But we can't
  use weblogic.jar in our deployed client, because a) it's HUGE, b) it conflicts
  with Ant 1.6.1.
  Any ideas?
  "Memo S" <[email protected]> wrote:
  >
  Here is the answer
  A UsernamePasswordLoginModule LoginModule was added for use by the IIOP
  thin-client.
  This class has the same API as that of the weblogic.security.auth.login.UsernamePasswordLoginModule
  class, but in this implementation, there is a new property called authOnLogin.
  When true, this property forces the login method to perform authentication
  (rather
  than on the first invocation). The default for this new property is false.
  Regards.
  Memo S
  "Ganapathi" <[email protected]> wrote:
  If I run the JAAS example (examples/security/jaas) that comes with
  wl8.1 sp1 but use wlclient.jar instead of weblogic.jar, the
  LoginContext.login() method returns a Subject even if I pass in an
  invalid user/password combination. If weblogic.jar is in the
  classpath, a javax.security.auth.login.LoginException is thrown which
  is what I want to happen for invalid credentials. When running with
  wlclient.jar, the code doesn't fail until it actually attempts to
  access the EJB at which point it gets a org.omg.CORBA.NO_PERMISSION.
  I am trying to use JAAS to login from a swing app and I want to use
  wlclient.jar instead of weblogic.jar, but I need to be able to
  determine whether the login was successful without waiting until I
  access a secured EJB. Why does wlclient.jar behave differently than
  weblogic.jar? How can I determine if my login worked if Weblogic is
  going to return a Subject no matter what username/password I pass in?

• What's the point of Weblogic JAAS authentication?

  Hello, I'm looking into one way authentication using weblogic and JAAS,
  Weblogic say this is the preferred mechanism, however I can't see the
  advantages. My (ok, limited) understanding of it is thus:
  The advantage of JAAS is that you can specify different login modules to
  utilise different types of authentication. However authentication to a
  weblogic server will only work by calling
  weblogic.security.auth.Authenticate.authenticate (due to weblogic's own
  implementation of the javax.security.auth. classes), thus only one
  loginmodule is available.
  The ability to use different authentication types is provided by the
  application server by using/creating different realms. The client possibly
  being able to specify different authentication by one of the arguments to a
  custom realm(?).
  Thus why bother with JAAS seeing that it doesn't seem to offer anything
  extra over JNDI authentication and requires more code?
  Thanks, any ideas appreciated.
  Alan.

  Good point.
  "James" <[email protected]> wrote in message
  news:3c506266$[email protected]..
  This may not apply to you, but I have to consider the need to remain
  portable between different vendor's application servers. WebLogic's
  proprietary realm architecture makes it a pain to get up and going in a
  Websphere or a Oracle AS. So I see that as a major advantage.
  James
  Viewlocity, Inc.
  http://www.viewlocity.com
  "Alan Phillips" <alan.phillips@|remove|ftid.com> wrote in message
  news:[email protected]..
  Hello, I'm looking into one way authentication using weblogic and JAAS,
  Weblogic say this is the preferred mechanism, however I can't see the
  advantages. My (ok, limited) understanding of it is thus:
  The advantage of JAAS is that you can specify different login modules to
  utilise different types of authentication. However authentication to a
  weblogic server will only work by calling
  weblogic.security.auth.Authenticate.authenticate (due to weblogic's own
  implementation of the javax.security.auth. classes), thus only one
  loginmodule is available.
  The ability to use different authentication types is provided by the
  application server by using/creating different realms. The client
  possibly
  being able to specify different authentication by one of the argumentsto
  a
  custom realm(?).
  Thus why bother with JAAS seeing that it doesn't seem to offer anything
  extra over JNDI authentication and requires more code?
  Thanks, any ideas appreciated.
  Alan.

• Programmatic JAAS Authentication for Web/EJBs on WebLogic 12c

  Technologies: JSPs, Servlets, EJBs (version 2.1)
  Database: Oracle 11g Database
  Application Server: WebLogic 12c
  I am working on a project where the users and roles are stored on an Oracle database (as database users with roles granted to them). We therefore need a custom authentication method (the default WebLogic UsernamePasswordLoginModule won't cut it). We created a DatabaseUserLoginModule prior to migrating from a 10g enviroment to 11g/12c.
  public class DatabaseUserLoginModule implements LoginModule
       public boolean login() throws LoginException
            Connection conn = null;
            try
                 s
                 InitialContext ic = new InitialContext();
                 DataSource ds = (DataSource)ic.lookup(jndiDSName);
                 conn = ds.getConnection(username, password);
                 List dbauth = new ArrayList();
                 String rolesSQL = "SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS UNION SELECT GRANTED_ROLE FROM ROLE_ROLE_PRIVS";
                 Statement rolesStmt = conn.createStatement();
                 ResultSet results = rolesStmt.executeQuery(rolesSQL);
                 dbauth.add(new DBUserPrincipal(username));
                 while (results.next())
                      String roleName = results.getString("GRANTED_ROLE");
                      DBRolePrincipal dbRolePrincipal = new DBRolePrincipal(roleName);
                      dbauth.add(dbRolePrincipal);
                 authPrincipals = (Principal[])dbauth.toArray(new Principal[dbauth.size()]);
            catch (Exception e)
                 throw new LoginExcpetion(e.getMessage());
            finally
                 try
                      conn.close();
                 catch (Exception e)
                      throw new LoginExcpetion(e.getMessage());
            return true;
       public boolean commit() throws LoginException
            for (int i = 0; i < authPrincipals.length; i++)
                 subject.getPrincipals().add(authPrincipals[i]);
            return true;
  The getConnection() method on the datasource works with a database username and password thanks to the new "Use Database Credentials" option for WebLogic datasources and granting CONNECT THROUGH (datasource user) privilege for each user.
  We have configured a JAAS context to use this login module by creating a jaas.conf file and setting JAVA_OPTIONS to include "-Djava.security.auth.login.config=%DOMAIN_HOME%\bin\jaas.conf". The file looks like this:
  Test {
  xxxx.controller.security.loginmodule.DatabaseUserLoginModule required;
  When the user logs in, the application uses a LoginContext object to perform authentication:
      PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
      lc = new LoginContext("Test", cbh);
      lc.login();
  This successfully uses the DatabaseUserLoginModule to authenticate the user and populate the Subject with the appropriate roles.
  The next step is to use an InitialContext to lookup an EJB and call a method. We have permissions in ejb-jar.xml for each method, based on database roles:
  <method-permission>
       <role-name>XXXX_USER</role-name>
       <method>
            <ejb-name>AccessControl</ejb-name>
            <method-intf>Home</method-intf>
           <method-name>create</method-name>
           <method-params>
                 <method-param>java.lang.String</method-param>
           </method-params>
       </method>
       <method>
           <ejb-name>AccessControl</ejb-name>
           <method-intf>Remote</method-intf>
           <method-name>remove</method-name>
       </method>
       <method>
           <ejb-name>AccessControl</ejb-name>
           <method-intf>Remote</method-intf>
           <method-name>processFailedLogin</method-name>
           <method-params>
                 <method-param>java.lang.String</method-param>
           </method-params>
       </method>
       <method>
           <ejb-name>AccessControl</ejb-name>
           <method-intf>Remote</method-intf>
           <method-name>processSuccessfulLogin</method-name>
           <method-params>
                 <method-param>java.lang.String</method-param>
           </method-params>
       </method>
  </method-permission>
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
  env.put(Context.PROVIDER_URL, "t3://localhost:7101");
  env.put(Context.SECURITY_PRINCIPAL, username);
  env.put(Context.SECURITY_CREDENTIALS, password);
  InitialContext ic = new InitialContext(env);
  ic.lookup("EJBName");
  The problem is that when the InitialContext is initialised I get the following error:
  javax.naming.AuthenticationException [Root exception is javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User XXXX_USER] javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User XXXX_USER denied]
  It looks like the InitialContext is attempting to authenticate the user through WebLogic's default authenticator. How do I tell it to use the JAAS context (with the custom login module) I have already set up?
  If I use the default constructor (new InitialContext()) then I get a different error when calling an EJB method:
  <java.rmi.AccessException: [EJB:010160]Security violation: User <anonymous> has insufficient permission to access EJB type=<ejb>, application=TestApplication, module=TestEJB.jar, ejb=AccessControl, method=processSuccessfulLogin, methodInterface=Remote, signature={java.lang.String}.>
  In this case, how do I propagate the Subject after using LoginContext so that the user calling EJB methods is not anonymous?

  This is the JDev & ADF forum. Your question is better asked in one of the WebLogic forums!
  Timo