A Principal and the identity or identities of the Principal are established as a result of the authentication process which represents the user in the application during further requests. The
Java platform specifies two solutions for user authentication to the servers:
JAAS (for any Java-based applications) and
servlets (for web applications).
It may be useful at this stage to understand that
EJB security is all about authorisation, not authentication. So, any authentication is always done before a request hits an EJB server.
The java.security.Principal object represents a user's identity. This user object carries only username information in it, not roles or any additional attributes about the logged-on user. For EJB applications, Principals are associated with callers' requests in server-specific ways. J2EE specifications require that for all EJBs in a call chain within the same application the same identity must be returned for all calls to EJBContext.getCallerPrincipal, which should be the same identity as in HttpServletRequest.getUserPrincipal if that is not null. Whereas servlet specifications do allow returning a null Principal, EJB specifications explicitly state that a non-null object should be returned at any time, even for representing an unauthenticated user.
The Application Assembler can, via the deployment descriptor, may change the choice of identities that execute their beans. There is <security-identity> element for that, which has two possible values:
<use-caller-identity>: To force using caller's identity on any method of the bean by propagating it from the caller.
<run-as>: To specify a particular role to run the bean.