I have configured my beans to require that clients be authenticated by setting a top-level security domain. Everything works well, except in the following case:
A client uses the standard ClientLoginModule to authenticate, and successfully calls a method on a stateless session bean. This method returns a remote object, which was compiled using 'rmic' and whose constructor has a line like 'UnicastRemoteObject.exportObject (this)'.
Now my client makes a call on this remote object, and this object, in the server JVM, attempts to create another stateless session bean. This attempt fails, apparently because the security context which is passed along transparently when I make the first method call (to get the remote object), is no longer available when I make the remote call.
Any idea what I need to do to make this RMI call pass authentication?
[SecurityInterceptor] Authentication exception, principal=null
[LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Authentication exception, principal=null