My application consists of 2 EARs. One EAR has the web application and presentation logic. The other EAR consists of secured session EJBs.

In the Web App EAR I defined a ServletContextListener that will authenticate itself with the EAR containing the secured EJBs. I am doing this using the ClientLoginModule. The EAR with the secured EJBs contains a SAR that defines a custom login module where I also create a custom Principal.

My problem is that when a request comes in from the web application and that thread tries to access the secured EJBs, it fails saying I am unauthorized to do so. Does anyone know how to associate the calling thread with the security context created in the ServletContextListener?

During the JAAS authentication, I am storing the Subject returned from the login method. I have tried Subject.doAs but it doesn't work. I am porting my application from WebLogic where it works fine using the Subject.runAs provided by a WebLogic library.