I would like to know how authenticated user information (username, Principal etc) is propagated from web-tier to ejb-tier. web app and ejb components can be deployed in seperate physical servers in network. web app code just gets the home object from JNDI tree to make calls on ejb components, So I don't see any place where the identity propagation happens - somebody please throw some light.
Also when a user is authenticated and identified where does this information stored? I guess request object, since it provides a getUserPrincipal() like methods in request object.
If so, in case if I use my own custom authentication mechanism, how can I set the authenticated user information so that declarative security take effect in web tier and ejb tier?