EJB3 & How JAAS subject/principal is propagated to EJB Tier from servlet container?

Question

I\'m trying to understand how the JAAS principal propagates to the Business/EJB tier from web tier.

I\'ve read that the if the roles/realm is configured in l

Answer 1

Regarding your first question - yes.
Regarding your second question - are you familiar for example with EJB3 interceptors?
The container create proxied objects with "interception code" for the beans,
and in addition the container can track other annotations on the methods and the bean class,
for example, to detect the @PostConstruct annotation.
Using the role definition, it can check the configuration
(either login-config.xml at older versions of jboss, or standalone.xml in JBoss AS 7 at standalone configuration) and understand what is the definition per each role.
JAAS is used in order to provide you abstraction layer over authentication and authorization.
One of the concepts behind JAAS is login module - it provides you "protocol specific" code that takes care of the actual authorization and authentication.
For example, I'm using in this way Krb5LoginModule to use kerberos.