Can the security context be passed between a web container (servlets/jsp) and an EJB container ? When the servlet calls an EJB I want its identity to be that of the original web client authenticated with a certificate.

Siva Visveswaran

The whole issue of propagation of authentication context from client to the EJB server is still evolving - both in terms of the specification as well as vendor offerings. According to the current Java 2 specification (page 224):

"the container is the authentication boundary between callers and components hosted by the caller. For inbound calls it is the container's responsibility to make an authentic representation of the caller identity available to the component".
The JAAS 1.0 specification extends the types of principals and credentials that can be associated with the client but it is also evolving.

Thus given the container implementation that is required to drive this whole thing, the answer depends on your app vendor - some like Weblogic (WLE), Websphere provide security plug-ins/SDKs that can enable the propagation. Other vendors are close behind. Check your vendor plug-in.