Since only calls from an SAP Application Server ABAP can reach the JRA Server listening threads, the authentication is performed on the Application Server ABAP itself at user logon to the Application Server.
If neither SSO nor SNC were activated for the Destination (transaction SM59), no additional authentication check is made on the Java Server side.
Detailed information on the security mechanisms for server programming you can find here:
● SSO
● SNC