I've a question about how JAAS is working within JBoss. I'm in charge in securing our application so I've created some custom login modules ( that use SRP, certificate, smart card ) that populate a Subject object. This Subject object contains an identity and roles that will give access to some EJB on the server.
In the specification, it's stated that when making a call to in EJB ( using Subject.doAs( subject, action ) ), the populated subject is passed to the server. But it seems that this is not the case.
Indeed, when my client calls an EJB only roles that come from roles.properties ( since i'm using the default UserRolesLoginModule ) are checked against that EJB's method permissions.
Did I miss something ? If yes, can someone explain me how I can get on the server the Subject populated on the client side ?
Thanks a lot for you help.