Web Services Stack provides a mechanism for authenticating clients in its runtime layer using the JAAS security framework. Security Infrastructure provides you with JAAS-based login modules for client authentication. When you log on using a JAAS login context, a javax.security.auth.Subject is produced by the logon security module. That subject contains Principals and credentials and is available to anyone on the execution chain through the message context.

Web Services Stack collects all available security credentials from the client request and populates them in Security Infrastructure SagCredentials (see Define the Login Modules). After that, the logon process is performed in the policy validator implementation of Rampart.