Separated login config for JBoss?

I'm trying to create an RPM-packaged Ear file that should be installable together with other RPM-packagesd Ear files in a JBoss container. (I could probably create a separate container within JBoss, but that's a lot of overhead for one Ear.) This works fine, except for one issue.

My problem is that this Ear file expose web services that use their own authentication policy (login-config.xml policy/application-policy/authentication/login-module). Now that multiple RPMs want to supply authentication information through this file, we get into conflict with the RPM spec rule that no file can be owned by more than one RPM package (and anyway whichever RPM goes last would clobber the previous).

Is there any way that the application-policy/authentication block can be declared in a separate file or in some manner that places it outside login-config.xml? For example, is it possible to declare additional security mbeans (in separate files) that refer to a separate login XML definition?

This is JBoss v4.2, but I would be willing to consider later if it solved this issue.

Update:

Lukasz rules. Below is working config!

<?xml version='1.0'?>

<server>
<mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
name="jboss.security.tests:service=LoginConfig开发者_高级运维">

<depends optional-attribute-name="SecurityManagerService">
  jboss.security:service=JaasSecurityManager
</depends>
<depends optional-attribute-name="LoginConfigService">
  jboss.security:service=XMLLoginConfig
</depends>

<attribute name="PolicyConfig" serialDataType="jbxb">

  <jaas:policy
    xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
    xmlns:jaas="urn:jboss:security-config:4.1"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <jaas:application-policy name="mySecurityDomain">
      <jaas:authentication>
        <jaas:login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
          <jaas:module-option name="unauthenticatedIdentity">noone</jaas:module-option>
          <jaas:module-option name="dsJndiName">java:/myDataSource</jaas:module-option>
          <jaas:module-option name="principalsQuery">SELECT password FROM WebServiceUser WHERE userName=?</jaas:module-option>
          <jaas:module-option name="rolesQuery">SELECT role, 'Roles' FROM WebServiceUser WHERE userName=?</jaas:module-option>
        </jaas:login-module>
      </jaas:authentication>
    </jaas:application-policy>
  </jaas:policy>

</attribute>
</mbean>
</server>

You can try and setup login module using DynamicLoginConfig service. I never use it but it looks like something that can help you. It allows you to create login module configuration in different file and deploy it during application installation.

Here you can find more info about it:

• Dynamic configuration of JAAS login
• AS5: Specifying Security Domain Configuration
• Configuration DynamicLoginConfig
• 10.5.2. The DynamicLoginConfig service
• using DynamicLoginConfig