Each supported Java™ EE application server integrates JAAS into its security framework, but because the Java EE standard does not specify how to do this integration, each Java EE vendor has its own integration approach. This means that each Java EE application server has a special, unique way of doing a valid login, which is defined here as a JAAS login that is recognized by the rest of the vendor's Java EE framework. Not performing a JAAS login the valid way for that application server prevents the security identity from propagating to the FileNet® P8 EJB layer.
As an example, in Oracle WebLogic, the JAAS Subject has special validated principals that, by default, are digitally signed only by a WebLogic Authentication Provider, whereas IBM® WebSphere® software takes the approach of adding special WSPrincipals and WSCredentials objects that can be generated only by special WebSphere LoginModules. JBoss does not use special, valid Subjects, but employs the strategy of using hidden thread local storage to store and pass around security data. This thread identity must be set up only by a JBoss LoginModule.
The following subtopics provide more information that is specific to supported application servers.