What should happen (if your web app is session based) is the user is authenticated once in your servlet container. This should occur when user attempts to access a secured url the first time. After this first authentication, the user should not have to authenticate to the servlet container again. As long as the session is the same.
In the EJB container, every request to access a secured EJB must be authenticated. But, the first time a request is authenticated in a JBoss security domain, the username and credential is cached. Then next (and subsequent) request from same principal (i.e. username) are checked to see if credential matchs the cached credential.
Thus you should have one JAAS login for your servlet container, and one JAAS login for your EJB container. Any more, indicates yoy may have something configured incorrectly. Unless, of course, that is what you want.
hope this helps, cgriffith
Since the web and the ejb layers are bound by the same security domain. subsequent auth requests(for the ejb calls) after the first successful auth to the web layer, go thru the cache that exists in the JaasSecurityManager. This is normal behavior. You will see auth requests going out to the JaasSecurityManagerService(Is this what you are concerned about?)
Every request on the serverside goes thru security. Thats the reason we have a timed cache for performance.