Subject.doAs(...) means nothing special to jboss. Just doing the JAAS login with the org.jboss.security.ClientLoginModule enables the association of the authenticated Subject with the caller context. Read the JAAS howto in the user forum to get an overview of how security works in jboss. This post has been moved to that forum.
Thanks Scott, I 2 questions
1. I am a web client, I have 2 servlets.
a. LoginServlet where I invoke the loginContext.login using the ClientLoginModule. This automagically creates a Subject and I need not do any doAs or RunAs and I can access any EJB.
b. I have viewOtherScreens Servlet which handles request from client for other screens.
Obviously I do not want to call login() again but want to access the EJB. I may use a pool of threads and hence the login thread may be t1 and now I am in t2 when I went to viewOtherScreens.
Now question: How does JBoss get my Subject that was authenticated?
If the web page is secured then the identity will automatically be used for accessing ejbs. Otherwise, you have to establish the identity via a JAAS login.
>>Otherwise, you have to establish the identity via a JAAS login
Unfortunately we are not using secured access but http. I am not clear what will it take to establish the identity via a JAAS login and propogate that to the JBoss server. Does this mean call login() in each Servlet?