1) client authenticates via JAAS 2) gets reference to stateful session EJB 3) calls some methods 4) at some point, client decides to re-authenticate, because he needs to call more privileged methods. So he authenticates as a more privileged user. 5) client calls methods on stateful session EJB with new, more privileged status
My questions: a) will I be able to use the same EJB reference, although having switched security context by reauthenticating to JAAS ? b) will state in the stateful session EJB still be bound to me, or will I have to transfer state to a new session EJB ? c) do I - as authenticated user with JAAS, have to call every method on the EJB with the doAS(Subject, EJBHandle) syntax ?