I tried to figure out how the container-managed security is handled when the tomcat is running inside the jboss. 1. I found the source code for SecurityAssociationValve. However, I did not see any where this valve is configured in the server.xml and it is clearly used in JBossSecurityMgrRealm
Principal caller = (Principal) SecurityAssociationValve.userPrincipal.get();
if (caller == null && username == null && credentials == null)
Can anyone tell me where this caller data in the SecurityAssociationValve is set?
2. The tomcat has some internal value such as the security check valve? Is this valve called before my custom valve such as FormAuthValve? Where is the valve sequence is specified?