I am using jboss-as-7.1.0.Final-SNAPSHOT and trying to set up custom login module that uses a database. I followed the instructions in the AS7 documentation to configure a new security domain in standalone.xml, security-domain in jboss-security.xml and security-constraint in web.xml and I set JBoss’ logging to TRACE so I can see that my custom login module methods are being successfully invoked (e.g. login(), authenticate()).

I don’t want to use manual transaction demarcation in my login module, so it would be great if my login module could be e a stateful ejb.

Taking a look at the JBoss AS7 : Security Domain Model article, which says:

Just write the FQCN in the code attribute and it should work out of the box.

To place the custom login module class files, you can place them in a jar and put it either:

application classpath of your web archive (war) or ejb jar or enterprise archive (ear) OR
separate module under the modules directory.

It looks like the sky’s the limit on where I can place my login module, including within the EJB module of my application. Does this mean that my custom login module can be a stateful ejb? I haven’t read anything that says, “No.” However when I deploy my login module as stateful ejb injected managed beans and injected EntityManager do not appear to be injected; I get NullPointerException when I try to invoke methods on them.

I took a look at org.jboss.security.auth.spi.DatabaseServerLoginModule, which is provided as one of JBoss’ default login modules. I wanted to see how database access is handled there. DataSource lookup is via InitialContext e.g.

InitialContext ctx = new InitialContext();
DataSource ds = (DataSource) ctx.lookup(dsJndiName);
conn = ds.getConnection();

and transactions are all handled manually. I don’t want to use this approach if possible.

Can I use stateful ejb? Or am I way off base in my approach to this?