Re: [undertow-dev] "unauthenticatedIndentity" in Undertow

Hi, Although it's not directly what you asked, one thing which you may want to take into account is that in the web layer (via HttpServletRequest) the user/caller principal corresponding to the unauthenticated identity is always null. When using the EJBContext that same user/caller principal is something container specific (although contrary to the web layer never null). EJB is underspecified here (just as the run-as principal). Likewise, the way in which a security context established in the web layer propagates to EJB is not clear either. There's a vague paragraph about a security domain that should be consulted, which JBoss takes very literally (for secured beans it attempts to re-authenticate instead of propagating the established context), for non-secured beans it doesn't do this. Finally there are a couple of implementation differences between JBoss' native login modules and the Java EE standard JASPIC ones. For JASPIC you would call HttpServletRequest.authenticate() and the "login module" (SAM) would pass a null to the CallerPrincipalCallback in order to establish the unauthenticated identity. Hope this somehow helps. On Friday, August 8, 2014, Wolfgang Knauf <wolfgang.knauf(a)gmx.de&gt; wrote: