Basically, your servlet is a client to your EJBs. With JBoss, if a client is doing an explicit JAAS login, the established security context is propagated to the backend EJBs only if you have the JBoss ClientLoginModule as part of your JAAS configuration.
I am assuming that you edited the login-config.xml fo JBoss to create your "domain" JAAS configuration. This configuration needs to look like that: domain { ...... //Any other login module that you might require. org.jboss.security.ClientLoginModule required; }; The ClientLoginModule at the end of your JAAS module stack will basically make sure that the security context is propagated to backend EJBs. In your scenario: #1 login #2 call methods #3 logout If this is all one single HTTP request, then what you are doing is fine. If the #2 must spawn multiple HTTP requests, it is definitely better to let the container (Tomcat/JBoss) do the authentication for you through BASIC or FORM based authentication. Thomas View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887785#3887785 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887785 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user