Can anyone explain to me the timing issues of an authenticated principal between my web tier and my ejb tier? I am using form based authentication on the web tier with a DatabaseServerLoginModule.
The web tier may go for prolonged periods without hitting the ejb tier. I wanted to know if the "secure session" between my servlets and my ejbs would time out if the ejbs were not accessed for a long time (and stateful session beans may time out, for example). Or is the authentication information passed to the ejb tier, and validated, on every ejb call (meaning it has the same lifetime as the HTTP session) ?