Hello.

I would like to know few things and also I would like to ensure I am correct:

First: authentication stuff: if I call my webapp requiring authentication, then auth data is verified by calling a security domain context for this app right?

Then, if I call a local ejb, the method requiring authentication, the previous username and password is propagated to the ejb and security domain associated with it is checked, right?

So, what about remote ejbs? Do I always use username/password from the remoting connection? And how does runas fit into this picture?

Then another problem, authorization. For ejbs and for web, when are the authorization rules in security domains processed?

And last question: is identity trust manager or acl manager ever used in the server?