Reading through the j2ee spec, i found a section called Distributed Security (J2EE.3.3.5). It talks about a secure association being established between the web container and the ejb container to manage context. This, it sounds like, allows you to authenticate/authorize once and carry the resultant context to the ejb server for sercurity validation. First, can anybody tell me how this works (lower level)? Second, can anybody tell me if this works in a system that uses weblogic for ejb and tomcat for jsp?
If you don't know these answers, can you relate your experiences with integrating security and state management across apache and weblogic?