I'm trying to find a way to programmatically retrieve the current User's roles.
In my application I have custom "security policies" associated with individual application objects and need to determine at runtime what access the User has to the object based upon the correlation of the User's set of roles and the roles and access privileges in the "security policy".
So far the only solution I've been able to come up with is to use EJBContext's getCallerPrincipal() and isCallerInRole() methods to perform some coarse iterative comparisons - get a role from the policy, see if the User has it, do the right thing, etc. - this isn't really very satisfying and I'd very much like to find a solution that enables me to obtain the full set of roles for the User in one operation so I can use them as I need to.
I'd really like to be able to get access to the javax.security.auth.Subject that is presumably known to JBoss.
I'm investigating the possibility of hooking into the seecurity interceptor(s), but as of now don't know if or how this might work, or even if I'm barking up the wrong tree.
<side-note>
FWIW I've looked at JSR115 and think there's some promise there. I have a concern in the seemingly implicit assumption that the overall security policy for an application is somewhat static and external to the application whereas or model is very dynamic, requiring that the security access information associated with any application object, and the roles associated with Users be dynamic and configurable within the application itself.
</side-note>