A good summary of the FileNet P8 authentication process:
“When global security is enabled in WebSphere Application Server, all requests from clients to Enterprise JavaBeans are sent as RMI/IIOP messages via the Object Request Broker (ORB) to the server that hosts the enterprise beans. As part of every such request and response, the ORB invokes the Secure Association Service (SAS) on the client and the server sides. On the client side, SAS intercepts requests before they are sent, obtains the client’s security credentials, attaches the credentials to the request as part of the security context, and sends the request. On the server side, SAS intercepts the incoming request, extracts the security context from the message, authenticates the client’s credentials, and passes the request to the enterprise bean container, where the request is authorized. The response is also routed through the SAS interceptors.”
