Hi,

I must admit that I am new to Wildfly and currently evaluating the usage of an application server instead of using just a servlet container (Tomcat). We have a three tier application: a client web app and a middle tier (app). Both deployed on different servers. The client app uses some functionality of the middle tier by doing remote calls. This is done by using spring remoting and hessian. For us is important that both (the client and the middle tier) are aware of the logged in user. Unfortunately, this can not be done with spring remoting. When a remote method in the middle tier is executed by the client app, the middle tier is not aware of the logged in user (who initiated the request). For example: if user A clicked on a button in the client app and a method on the middle tier is executed, there is currently no way to find out, that user A clicked on that button. No security information (the principal) is sent along with the remote call. But it is important to know, who clicked on that button.

So my question is: it this possible with Wildfly (using EJBs) and if yes, how (to have an overview about the effort)?

I searched for that answer since yesterday, but with on results. I know that Wildfly can be secured and that, before the remote method is executed, there is an authentication process. But this authentication has nothing to do with my user A, but rather than allowing the client app to execute the remote method. This is just to make sure, that no unauthorized client can execute these remote methods. But I want user A!

I have to mention, that a user can log in either by using a client certificate or using a username and password. That's why it is not possible to use the username and password to authenticate on the middle tier (what was a suggestion by developers when using spring security remoting).

I appreciate you help!

Best regards,

Daniel