I am trying to determine the best way to implement a decarative security methodology. I run jboss 4 and have stateless session beans (ejbs) accessed by soap web service clients.
1. I would like to be able to restrict certain web service methods to certain users/ groups declaratively.
2. I notice that the ThreadLocal based secure context used by acegi depends on the invoker's intercepted thread name being constant throughout a secure (http) session.
3. To try to extend this concept from the usual acegi servlet/web client to a web service or rmi client, I have built an aop interceptor for my ejb that receives my web service calls. I printed out the thread names of my ejb and the interceptor and found out that the interceptor runs under a different thread than the ejb. Does this mean acegi cannot be used in this scenerio?
4. Do you have any suggestions for a solution I might try?