EJB3 & How JAAS subject/principal is propagated to EJB Tier from servlet container?

Question

I\'m trying to understand how the JAAS principal propagates to the Business/EJB tier from web tier.

I\'ve read that the if the roles/realm is configured in l

Answer 1

1. yes it's true. that's generally the point of ejb, to take the "hard" stuff out of the hands of the developer (e.g. security, transactions, robustness, multithreading, etc.)
2. it's implementation dependent. i know that in jboss (at least 4.x and before), remote method calls used a custom serialization protocol which had an additional Map of arbitrary information which could be sent along with the request. in this was the auth info as well as other stuff to support clustering. for local method calls i believe they use stuff like ThreadLocals.