As the underlying security identities (such as users and groups) to which roles are mapped in a runtime environment are environment specific rather than application specific, it is desirable to:
Therefore, a servlet container is required to track authentication information at the container level and not at the web application level, allowing a user who is authenticated against one web application to access any other resource managed by the container which is restricted to the same security identity. |