I'm trying to understand the EJB security model. From what I've read, EJB methods can have restricted access, such that only certain "people" can invoke them. I also know that under the Java 1.2 security model, objects can "impersonate" people. How exactly, do I have an EJB claim to represent a particular identity? What information do I need to give to the EJB? What then, does the EJB give, and to whom, to prove that it has permission to access a certain method? Thanks.