Hello J2EE/JBOSS Gurus,

I’m developing a rule-based framework (using J2EE) for Application Development. My framework will be the base on which different applications of varied requirements will be built. My framework has to cater to different Application severs running on different database servers as a result of which my design should be soft and configurable. I looked at the Declarative security model for J2EE using JAAS. I’m stuck in choosing the right stuff for my framework. These are the following points that need clarification.

1. I cannot use the container-managed security as I have to specify roles and access in the deployment descriptor (i.e. I cannot redploy the components when new roles are added/removed/modified @ runtime)

2. Should I use the web sevrers logon model for my authentication or shud I create my own.

3. If I use the Web server's Authentication, how do I dynamically obtain the Role info of the user without hardcoding (not using isCallerInRole). Is there any API exposed to do the same.

4. I need to think about User Profile Object to be dynamically loaded after the login. Which is the best way to do so?

I'll need your valuble comments and suggestions soon.

Thanx in Advance
Regards.
Keerthi Kumar M