Hi Folks,

I am trying to secure a web service(EJB) which validates a ws-security username token against a custom jass login module. I have created a custom jaas login module and placed the jaas module in the Application logins and set the Authentication strategy as SUFFICIENT. The problem I have is that I thought by doing this was sufficent but it isnt. To get it to work I had to create a managed user and password from the security section of the admin console. Can some one explain to me why this is the case. I dont understand the purpose of the user registry in the context of a j2ee application security as it appears that the user registry is validating the username and password against the ws-security token. At the moment there is no declarative security on the EJB's, is this important? My assumption was that by creating a custom jaas login, the login module would authenticate the tokens( in my case against a database) and pass the Subject along the stack which has no other jaas login modules and return to the application.

Any help in understanding this would be greatly appreciated