I have a fundamental question on JBoss security. I could not find an answer to following question in the 2.4.4 doc. Entity or Session context interfaces define a method to get a Principal object. I do not understand what service populates it there. I went through discussion on Jaas login and see how a client could be authenticated. What is the mechanism to inform a JBoss server with a user session.