Looking at the JavaWorld JAAS paper again, I see that subsequent web calls *don't* use the principal object, leading me to think I have to cache the principal in HTTPSession, and using it appropriately there after.
This assumes I can run some servlet/jsp code before the restricted stuff that requires the principal. Martin View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3823070#3823070 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3823070 ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user