#17 Need support for unauthenticated users

v2.3 (unstable)

JBoss needs support for:
J2EE Spec 1.2, Section Unauthenticated Users
Web containers are required to support access to web
resources by clients that
have not authenticated themselves to the container.
This is the common mode
of access to web resources on the Internet. A web
container reports that no user
has been authenticated by returning null from the
method getUserPrincipal.

The EJB specification requires that the EJBContext
getCallerPrincipal always return a valid Principal
object. It can never
return null. However, it’s important that components
running in a web
container be able to call enterprise beans, even when
no user has been
authenticated in the web container. When a call is
made in such a case from a
component in a web container to an enterprise bean, a
J2EE product must
provide a principal for use in the call.

A J2EE product may provide a principal for use by
unauthenticated callers using
many approaches, including, but not limited to:
- Always use a single distinguished principal.
- Use a different distinguished principal per server,
or per session, or per
- Allow the deployer or system administrator to choose
which principal to use.
This specification does not specify how a J2EE product
should choose a
principal to represent unauthenticated users, although
future versions of this
specification may add requirements in this area.


  • Scott M Stark

    Scott M Stark - 2001-06-27
    • status: open --> closed
  • Scott M Stark

    Scott M Stark - 2001-06-27

    Logged In: YES

    This has been added to 2.4 An unauthenticated-principal tag
    was added to the jboss.xml descriptor for use in the

  • Scott M Stark

    Scott M Stark - 2001-06-27
    • status: closed --> closed-fixed

Log in to post a comment.