I want to use Spring Security with EJB 3.1. It was told me that storing the SecurityContext with ThreadLocal doesn't work in clustered environments. What is the best way to hold a Spring SecurityContext in a clustered EJB environment?

My idea:

  • replace the SecurityContextHolder with a stateful singleton EJB and hold the SecurityContext for each user in a HashMap
  • access the SecurityContext for a specific user through the securityContextHolderEJB.getContext("userX") method


Another vague idea is to use JSR 299 Contexts to hold the SecurityContext, but I have no idea how to do it or even if it would work in principle. Any ideas?

Would this work? Better ideas?