Ignore last. Let me ask it a different way.
How do user identities (say, those authenticated via LDAP loginmodule) get mapped to an EJB group or role, in a declarative implementation?

We will have EJB with web and fat clients. There are several apps for which I want to use a unified security model. All users would be authenticated via LDAP. Since we have little control over the LDAP object structure, I don't want to assume we can store user roles there. This would be done in RDBMS.

So the steps would be:
1) Authenticate user vs. LDAP
2) Take user name, go to DB and get group or role names.
I was thinking 1/2 could be done via custom login module, basically extending the LdapLoginModule to get the groups/roles out of the DB. instead of LDAP.

- Does this approach make sense?
- I am confused as to the meaning of roles vs. groups in the context of J2EE security model. I want to map the user identity to some 'aggregated identity' and use that for access control. Which is it: group or role?
- I want to use the same 'aggregated identity' to control web and EJB resources. How does this get propagated between web and ejb container?

I know these questions seem primitive. Thanks mucho for the patience.

TIA,
Mike