Thanks Ron. After I posted this message I discovered your blog and subsequently JSR 196. I've been reading through the spec and have a couple questions, hopefully you wouldn't mind pointing me in the right direction.
I am using form authentication, and on the first post-back my SAM can authenticate the supplied credentials. For this app, that means a trip to the db. My questions are:
- - How do I tell the container what Subject should be used for subsequent authorization decisions? From the spec it sounds like I should add the authenticated Principals to the container-supplied, client subject.
- - Once a client is authenticated should my SAM cache the Principals in the session object?
- - On each request, how will my SAM know if authentication has already taken place? It appears the container-supplied client Subject is new with each request and the server Subject is null.
- - How are sessions and time-outs to be managed?
Thanks for your help,
Andrew
[Message sent by forum member 'andrewlaughlin']
http://forums.java.net/jive/thread.jspa?messageID=393372