1) Implementing some kind of authentication mechanism using JAAS on the
client side. Once the user is authenticated their Principal object is
passed on to AppServer.
Problems with this are that I don't know how to hand the Principal
object to AppServer (what methods to call, do I need to lookup something
via JNDI?) and even if I did, what is to keep a rogue client from just
making up its own Principal object that lies about the user's identity?
2) Keep the JAAS implementation inside of AppServer implemented as a
stateless session bean.
The problem with this is that I still don't know how AppServer
decides upon the Principal to use.
There has got to be some kind of interface that allows me to tell it
what Principal owns the current Thread.
Could someone please point me to some documentation that I have
overlooked or some example code?
Thanks in advance,
-M@