This is probably more a pure J2EE related question than a JBoss specific one, but I did not find a lot of literature on this subject.

JAAS defines an extensible authentication mechanism, where, at the end, you end up with a Subject containing all the principals created through the authentication process.

J2EE provides access to the current principal (via the EJB or servlet context).

JAAS is supposed to be THE authentication mechanism for J2EE (according to J2EE 1.3 and 1.4 spec).

So why am I not finding a way to access the authenticated JAAS Subject from my EJB's? I think this is a big hole that is breaking the JAAS extensibility mechanism.
There is no point to create your own JAAS login module that will add application specific principals to the subject if you cannot access these principals in your application (EJB's) later on, is there?
I agree, you can still make it work by creating a custom principal that will be the one the app server will return through the EJB context. But it seems more like a hack to me than a nice and smooth JAAS/J2EE integration.

Am I just missing something or is there a good reason for not being able to access the JAAS Subject?

Any lights on this topic will help. Thanks.

Thomas