Thanks for the bootstrap. I've looked around the classes involved and from what I understand of the code....
I noticed that during the overriden authenticate method on JBossSecurityMgrRealm the Subject created by the LoginContext instance is stored in a SecurityAssociation ThreadLocal instance - I was wondering what became of this Subject? I also notice that JBossSecurityMgrRealm also supports tomcat Valve interface (not too sure about Valves but my understanding is they are an interception framework for request/response pipeline). My guess it that at some point later, the same thread that had a Subject stored in the SecurityAssociation from the authenticate call also calls the invoke method on the pipeline? Is this how the "active" subject for this request is retrieved from SecurityAssociation? If the above is true then I can see that the active subject is then stored in the request object. But that will only have a lifetime of the request - so is there a filter or some other interception point where the subject is taken from the request and put in the user's web session? If not, how is the authenticated Subject maintained between requests from tomcat? <a href="http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827840#3827840";>View the original post</a> <a href="http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3827840>Reply to the post</a> ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
