I have a need to not only authenticate the user invoking a web service, but depending on what application originates the call, I need to send additional credentials to identify that machine.

I have already created a custom login module and custom principal object (to accomplish something else). I know JAAS has support for callbacks for additional authenticate checks, but I am fairly certain there is no support for this with web services.

The only solution I have come up with is to concatenate the user's login information with the "application's" login information and have my custom login module create the principal for the user with additional (custom-principal-specific) properties for the other state I need.

Are there any other ways I could approach this problem short of passing the application information on every method invocation, or switching to stateful beans and invoking a method to set this additional credential at the start.