Thanks Kumar for the the in depth answer.
There seem to be be one quote from the EJB specs missing at the end but your
post already made things much clearer for me.
I see that SSl/TLS can secure the credentials while traveling the network.
If I understand you correctly it should be possible to call the login
modules authenticateUser() only once for each user session. I don't
understand however how I specify a reuseable security context to achieve
this. Is this just done by labeling the EJB stateful? If so, am I correct
that you can never achieve this for a stateless EJB (the authenticateUser()
method will be called for every call to an EJB method)?
Best regards,
Jan Snelders
--
[Message sent by forum member 'snelders']
View Post: http://forums.java.net/node/820784