hi all,

I have a servlet which is secured with a basic authentication method. When I request a secured resource, I am asked by a web container to introduce myself in a popup. This is the web tier authentication. After letting me in, I want to invoke a method on EJB. That is why I have to propagate the security context from web tier to EJB tier. As far as I learned from the forum, I have to do a JAAS login. The way JBoss people do it is:

Principal user = new SimplePrincipal(username);
SecurityAssociationHandler callbackHandler =
 new SecurityAssociationHandler(user, password.toCharArray());
LoginContext loginContext = new LoginContext("OracleDbRealm", callbackHandler);
loginContext.login();

The problem is how to get the principal and its credential from the web tier, if the only object I am getting is 'j_subject', which seems to be of javax.security.auth.Subject type? I do not have a separate username and password to use. When I look at the API, I can see a method to get the principal, but is it possible to get the password this way? Or is it possible to pass the whole Subject object directly to SecurityAssociationHandler to validate by LoginContext in some manner?

I know I can work around it using a FORM authentication method and read request parameters: 'j_username' and 'j_password' and then pass it, but I would like to do it using the BASIC one.

Thanks in advance,
--Marcin