there seem to be 2 different ways of authenticating with JAAS and making secure calls to EJBs:
Way A: 1a) authenticate via JAAS logincontext.login() 2a) obtain a subject 3a) make calls to ejbs with the Subject.doAs(subject, action) construct
Way B: 1a) authenticate via JAAS logincontext.login() 2a) obtain a subject 3a) just make calls to the ejb without using the construct. Example: myEJB.methodA();
Way A is described on many sites. Way B is published in the new Ed Roman book (3rd Edition)
Are both correct ? I would be more confident knowing an example directly provided by Sun, or having sources from Sun Microsystems for this. Although I think Ed Roman knows what he is doing, it seems too easy for me and I ask myself if something changed in EJB/JAAS between the 2nd and 3rd Edition of the book ?
subject: Authenticating with EJB tier/JAAS - 2 different ways ?