The security team will know more about this, but when a client provides the username and password they are held in the client security code until the first time a client accesses something on the server that requires authentication. Only then is any authentication actually performed.
So in your example when your client calls the EJB that is when the authentication actually occurs.
- Tim
[Message sent by forum member 'tjquinn']
http://forums.java.net/jive/thread.jspa?messageID=471832