One of my team mates has created a custom login module that we are using to add Principals and Private credentials to the subject.
My problem as this point is that client applications using the EJB module are also allowed to add principals and credentials. I am looking for a way to prevent this.