If you are using basic auth, then the credentials are going to be passed in each and every http request, which means you dont need to cache them. When using basic auth in JBossWS, it will authenticate you according to its security zone, store the credentials, pass them to the EJB layer on invocation, at which point the EJB layer will authenticate you again. Both would use the same JAAS module.
There is a wiki entry that describes how to configure basic auth:
The purpose of caching is to avoid an expensive authentication operation to the security server.
Passing credentials to the EJB layer is outside the requirements; the goal is to use the token for post-JBossWS layer authentication (and again avoid an expensive authentication call). Storing the token in the MessageContext is convenient to this use case. (EJB layer invocation is not through InvokerProviderEJB but through a custom provider to support backend heterogeneity.)
My question is more relevant to using a custom handler for authentication (similar to SimpleAuthenticationHandler.java) as opposed to using a JAAS login module. Could someone please comment on this.
Its just a question of reuse. If the authentication mechanism is not going to be used for anything but the webservice, then it hardly matters how its implemented. If the authentication mechanism is going to be used with servlets, ejbs, datasources or any other resource that supports the jboss jaas style authentication then a login module is the better choice.
Thanks a lot for the clarification. I'appreciate the prompt response. Really makes a difference.