Currently I am authenticating clients via a servlet. This servlet then invokes SecurityAssocitation.setPrincipal() to store the user id.
My EJBs then check via a SecurityProxy if the user id (fetched by getCallerPrincipal() from the local EJBContext) is authorized to do what it wants.
I do not use any JAAS related stuff.
My question now is if this idea is safe enough, in other words, can the EJB _rely_ on the fact that its EJBContext's CallerPrincipal was definitely set by the authorization servlet? Or is it possible for a client to bypass that servlet and call SecurityAssociation.setPrincipal() itself?
Thanks a lot in advance, any help is very much appreciated! Cheers Dominik