Propogating security context to EJBs
I would like to know if it is possible to use form-based or basic login authentication in the web tier, and then be able to easily propogate that security context in JNDI to creating protected EJBs. My understanding is that if using form-based login on the web tier, the container will automatically direct the request to the login page for authentication.
Then, upon successful authentication based on the credentials supplied(password), the container redirects the request to the protected web resource(let's say a servlet). If the servlet then must access a protected EJB(based on a role in the deployment descriptor), it must set the principal(username) and credential(password) in a property set to be passed to the Initial JNDI Context object in order to propogate the security context from web tier to EJB tier.
However, since the servlet has no access to the credential(password) at this point, it cannot set it in the context. Only the principal is available, right?
Note that I am not using JAAS, just JNDI in WLS 6.
Please let me know if there is a way to use the declarative J2EE security and still be able to easily propogate the security context to the EJBs.
Thanks for any help...
