Hello! I'm using JBoss 3.2.1 and Tomcat 4.1 (not the jboss embedded version). There's a simple page login.jsp where the user can login into the application; the auth method used is FORM and the userid & password are validated again a Directory server. On the web tier the login completes successfully and redirect to a page that calls a stateless session bean
The question is: 1) How I can propagate the Principal obtained by request.getCallerPrincipal()? I suppose must do this when create InitialContext()..., but I can set on the InitialContext environment only strings. So I saw the SECURITY_PRINCIPAL property that holds the principal name (my username), but in this way on the EJB (JBoss) tier I must perform the authentication again...and I must do this every time I invoke method on a EJB ???!!!
JAAS' security propagation between containers is not well specified actually. This usually is done using a ThreadLocal class wich propagates the authenticated principal to the EJB's stub on a specific container manner. Jboss client LoginModules uses the class org.jboss.security.SecurityAssociation to make this association. So, in your web LoginModule you have to set your authenticated principal to this class, like the example: