I am using jboss-as-7.1.0.Final-SNAPSHOT and trying to set up custom login module that uses a database. I followed the instructions in the AS7 documentation to configure a new security domain in standalone.xml, security-domain in jboss-security.xml and security-constraint in web.xml and I set JBoss' logging to TRACE so I can see that my custom login module methods are being successfully invoked (e.g. login(), authenticate()).
I don't want to use manual transaction demarcation in my login module, so it would be great if my login module could be e a stateful ejb.
Taking a look at the JBoss AS7 : Security Domain Model article, which says:
Just write the FQCN in the code attribute and it should work out of the box.
To place the custom login module class files, you can place them in a jar and put it either:
application classpath of your web archive (war) or ejb jar or enterprise archive (ear) OR separate module under the modules directory.
It looks like the sky's the limit on where I can place my login module, including within the EJB module of my application. Does this mean that my custom login module can be a stateful ejb? I haven't read anything that says, "No." However when I deploy my login module as stateful ejb injected managed beans and injected EntityManager do not appear to be injected; I get NullPointerException when I try to invoke methods on them.
I took a look at org.jboss.security.auth.spi.DatabaseServerLoginModule, which is provided as one of JBoss' default login modules. I wanted to see how database access is handled there. DataSource lookup is via InitialContext e.g.
InitialContext ctx = new InitialContext();
DataSource ds = (DataSource) ctx.lookup(dsJndiName);
conn = ds.getConnection();
and transactions are all handled manually. I don't want to use this approach if possible.
Can I use stateful ejb? Or am I way off base in my approach to this?
