I'm working with an application that access secure EJBs through a unsecure servlet. To do this the servlet execute a ClientLoginModule before make the EJB calls (where a second (server) login module is executed based on the realm configured for the EJB).
Once made the first EJB call (and executed the server login module for the first time), the following calls (sent as new http requests) sometimes execute the server login module, sometimes not. My questions are: what is the mecanism used by JBoss to do this kind of "single-sign-on" and where I can find documentation about it? Can I control it (trigger or not the server login module when I wanted)?
I've tested if the JBoss uses the HttpSession but I think it doesn't use (invalidating the http session is not sufficient to compel JBoss to execute again the server login module).
I've read the development manual (version 3.0.5) and didn't find anything about this in the security chapter. One thing that I've noticed is that if I make a second ClientLoginModule with a diferent password the server login module is triggered.
I'm using JBoss version 3.0.4