Well...after a bit of digging, I found that iTracker does *NOT* use container-based security. You can tell by looking at ejb-jar.xml where you won't find any security tags.
What it does is let any EJB methods be called by anyone. Ditto with all servlets. It uses a classic Guard pattern by having all the JSP pages check for a user session object to indicate if someone is logged in. Because of this, doing automatic login via a cookie is trivial (though they could at least encrypt the cookie, but the cookie looks like a simple user id). This technique is used in ASP, CF, PHP, etc. designs. It also explains how iTracker can be cross-platform and work on JBoss, Weblogic, etc. For those curious, you can look at check-login.jsp which is included in all the JSP pages of this app. Anyone know of a JBoss custom login module god I can talk to? :-P ken _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web! ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user