Look at the org.jboss.web.tomcat.security.JBossSecurityMgrRealm to see how its done with the embedded version.
Thanks for the bootstrap. I've looked around the classes involved and from what I understand of the code....
I noticed that during the overriden authenticate method on JBossSecurityMgrRealm the Subject created by the LoginContext instance is stored in a SecurityAssociation ThreadLocal instance - I was wondering what became of this Subject?
I also notice that JBossSecurityMgrRealm also supports tomcat Valve interface (not too sure about Valves but my understanding is they are an interception framework for request/response pipeline).
My guess it that at some point later, the same thread that had a Subject stored in the SecurityAssociation from the authenticate call also calls the invoke method on the pipeline?
Is this how the "active" subject for this request is retrieved from SecurityAssociation?
If the above is true then I can see that the active subject is then stored in the request object. But that will only have a lifetime of the request - so is there a filter or some other interception point where the subject is taken from the request and put in the user's web session?
If not, how is the authenticated Subject maintained between requests from tomcat?
The subject of the http request is obtained from thread local of the SecurityAssociation and added to the ejb request for propagation to the ejb container. This is done by the SecurityInterceptor in the ejb proxy. There is no maintence of the Subject between requests. The caller is authenticated every time and associated with the thread when the request comes in, and cleared on completion of the request.