While attempting to write a custom LoginModule from Tomcat 6, we encountered an interesting situation that we cannot find a good way around. Like the LoginModule from http://www.hibernate.org/139.html, we were initializing a SessionFactory whenever the LoginModule's initialize() method was being called, which is when a user POSTs to j_security_check, and when our web application initializes as it uses Hibernate, too.

We took the code used for the LoginModule and placed it within Tomcat's /server/lib directory and placed the hibernate.cfg.xml file in /server/classes while the application was put under webapps (/webapps/blah) along with it's hibernate.cfg.xml. However, whenever the LoginModule was being invoked by the web application, the server was using the hibernate.cfg.xml for the webapp rather than the server as the webapp's classloader was being used.

Has anyone come across this situation with using Hibernate in a LoginModule in Tomcat? How is it possible to have Hibernate initialized in the LoginModule by the server rather than the invoking webapp? Am I correct in assuming that the LoginModule is invoked whenever any user POSTs to j_security_check?

Sincerely,
Andrew