Hi,

I am trying to determine the best way to implement a decarative security methodology. I run jboss 4 and have stateless session beans (ejbs) accessed by soap web service clients.

1. I would like to be able to restrict certain web service methods to certain users/ groups declaratively.

2. I notice that the ThreadLocal based secure context used by acegi depends on the invoker's intercepted thread name being constant throughout a secure (http) session.

3. To try to extend this concept from the usual acegi servlet/web client to a web service or rmi client, I have built an aop interceptor for my ejb that receives my web service calls. I printed out the thread names of my ejb and the interceptor and found out that the interceptor runs under a different thread than the ejb. Does this mean acegi cannot be used in this scenerio?

4. Do you have any suggestions for a solution I might try?

Thanks,

Dave