there seem to be 2 different ways of authenticating with JAAS and
making secure calls to EJBs:

Way A:
1a) authenticate via JAAS logincontext.login()
2a) obtain a subject
3a) make calls to ejbs with the Subject.doAs(subject, action) construct

Way B:
1a) authenticate via JAAS logincontext.login()
2a) obtain a subject
3a) just make calls to the ejb without using the construct. Example:
myEJB.methodA();

Way A is described on many sites.
Way B is published in the new Ed Roman book (3rd Edition)

Are both correct ?
I would be more confident knowing an example directly provided by Sun,
or having sources from Sun Microsystems for this.
Although I think Ed Roman knows what he is doing, it seems too easy
for me and I ask myself if something changed in EJB/JAAS between the
2nd and 3rd Edition of the book ?

Regards,

Jay