I want to know where is the principal and role of the caller, set, when an EJB is called. I have read the security chapter in EJB but it only mentions the two methods getCallerPrincipal() and isCallerInRole(). But who is responsible for setting them?
Lets say I want to call an EJB method from a servlet. I would do it this way,
@EJB SimpleBean bean; bean.someMethod();
In this case I am not setting any principal or role myself. So how would they be available when the ejb method is called?
The principal is set once the client is authenticated by the container. The application doesn't set the caller principal. Roles and principals are part of the security domain configured in the container or other network infrastructure.