After an authenticated identity is established, WebJASPIAuthenticator registers this with the current request, session (if cache is enabled) and optionally SSO:
What it does not do however is registering this same information with the SecurityContext where the EJB programmatic security can pick it up.
Now in the next request org.jboss.as.web.security.SecurityContextAssociationValve will do this registration, but this means:
- Programmatic EJB security (EJBContext#isCallerInRole etc) can not be used in the same request in which authentication took place, since the SecurityContextAssociationValve runs before WebJASPIAuthenticator
- This mechanism depends on the session cache being used. (This is true by default in JBoss, but it should not be according to the JASPIC spec and users may opt to disable it, possibly since some SAM could require this in order to function correctly)
I would like to propose putting code like the following in the mentioned register method or just after it, e.g.
Maybe the security context should be created if it does not exists, but I think it should always exist at the given point, shouldn't it?
Note that this depends on SECURITY-744, since in the current trunk version of WebJASPIAuthenticator the Subject isn't build at all.