Hi,
When we have a checked URI and we authenticate successfully, the principal is available from current request object. However, if we navigate to an unchecked URL (i mean with no security-constraint imposed) then the principal is not available.
I thought that the JAAS implementations save the principal in HttpSession after authentication. But NO. Jboss seems to save this principal information *somewhere* and if web-resource with security-constraint is asked for, it checks, retreive and save principal info in request object.
Where does Jboss's JAAS impl store the authenticated principals and it's mapping with session ids?? and why not just save it in usual session?
Any insights.
TIA Navjot Singh
Sign on Tombstone: "Here lies an atheist, all dressed up and nowhere to go."
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
