2 Replies Latest reply on Mar 2, 2006 7:41 PM by Chul-Woo Choi

    Rudimentary questions about how JAAS works

    Chul-Woo Choi Newbie


      This is a rudimentary question but I?m not sure what the authenticated entity ACTUALLY is in a web app. Is it the session or the object in which JAAS authentication occurred??

      For example, consider a user who wants to access a secured EJB though a web application. A user would login in the JSF login page and the backing bean will authenticate the user using the JAAS API (using JBoss? client-login for e.g.).
      In this case, is the user considered authenticated as long as the session is maintained?? Or is it only the backing bean object that can access the secured area??

      Related question: how does the client-side authenticated subject propagate to EJB side? Is it attached in the EJB home create() method call?? If so, by who??

      Thanks for help in advance.