Our product has an API layer, which is implemented as POJO wrapper classes around Stateless Session Beans. The APIs are accessed through a Factory class, and the constructor of the Factory class performs the authentication for the user (logs them in).

We wanted to change the authentication layer within the POJOs to be based on JAAS. So the login performed by the factory constructor now does a login on a JAAS based login context. This login context is provided to (set in) every API class that the factory returns.

When we utilize these API classes from a command-line client, everything works fine. However, when we use these API classes from within a web application (built on Struts, using form-based login), the authentication succeeds, but the calls to the Session Beans (via the POJOs) does not transmit the security context to the Session Bean. In other words, doing an EJBContext.getCallerPrincipal().getName() in the EJB code always returns "Unknown", the unauthenticated user.

I believe we have everything set up correctly (including the auth.conf on the web client side that uses ClientLoginModule with multi-threading turned on). However, this still does not work. I believe it has something to do with the session threading. However, we cannot implement a Servlet Filter that executes the JAAS login again, since the Web Tier is unaware of the authentication layer. Is there any way we can manage this? We tried calling the login method on the stored loginContext in the POJO before each method invocation on the bean, but that did not help.

Any help is greatly appreciated.

Thanks,
Nishant