Good Day cchoi, In the Tomcat servlet container, an authenticated entity is stored as a Principal in the Session. This principal is really an extension of java.security.Principal that also stores an array of String "roles". On every request (if a web app has configured to use Container Managed Security), a check is made to see if request has a security constraint, if there is a Principal , and if the Principal has the role configured as constraint.
If your Tomcat server is embedded in JBoss, then this principal and the original credentials (i.e. password) are sent with each request to EJB Container. You can look at the org.jboss.web.tomcat.security.SecurityAssocationValve for more details. As well, you should read Chapter 8 of the server guide http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html hope this helps clearify, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3927616#3927616 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3927616 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
