At my customer we have a legacy application that used to authenticate to JBoss 4.2.3 via the web container security module in web xml over form based authentication. In our EJBs we restrict the access to method using permissions.

Now we need to throw away the web based authentication and start using a CAS server (external).

When we disabled the security constrain in the web.xml we get error from EJBs (as expected) but we do not know how to inject the principals and workaround the authentication.

The questions are: