I am trying to achieve the following with two security domains: Principal of type A is authenticated in domain A. An EJB deployed in domain A is calling an EJB in domain B, where domain B uses a different identity type (another Principal implementation class). For domain B the ID returned by getName() has a different meaning than for domain A.
What I intend to have is a LoginModule, which either accepts Principals of type B, or can map Principals of type A to a Principal of type B; either way, the Principal returned by the LoginModule is of type B.
The LoginModule actually adds the Principal (type B) to the Subject, but the application code (getCallerPrincipal()) still get's the original Principal (type A) instead of the mapped Principal (type B). How can I achieve that for domain B JBoss works with another caller identity than for domain A?
Is it possible to be able to configure the Principal class to be used for a call to Subject.getPrincipals(class) for a specific security domain?
JCA introduces the concept of a "Principal Mapping Module". This is pretty much what I am looking for, just for JBoss to JBoss calls instead of JBoss to EIS calls.
Read the CallerPrincipal subject usage pattern in chap 8 of the online admin devl guide in the free docs. This allows a given identity and proof of identity to be mapped to a seperate principal as seen by getCallerPrincipal.