EJB3 & How JAAS subject/principal is propagated to EJB Tier from servlet container?

Question

I\'m trying to understand how the JAAS principal propagates to the Business/EJB tier from web tier.

I\'ve read that the if the roles/realm is configured in l

Answer 1

The Principal propagates to the EJB tier from web tier is configured through the login-config in the web.xml as you had surmised for the most part.

How it is implemented is implementation dependent. The user/group data is also implementation dependent and is configured as part of the application server.

However, one of they ways this is done is through an implementation of the JASPIC provider which is a standard way of obtaining the Principal. Using this allows you to have a different authentication path compared to the standard form login, basic authentication or certificate authentication provided by WEB-INF/web.xml but it is a little bit more work.

JASPIC authentication paths allow more complex scenarios such as header based authentication or two-factor or OpenID. The user database "usually" does not need to be tied to the one in the application server. I say "usually" because WebSphere Application Server ties the authentication to a user configured on the server.