I want to use a session bean (called LoginService) to authenticate in place of a direct database call (a la DatabaseServerLoginModule). I've subclassed UsernamePasswordLoginModule and overriden getUsersPassword() and getRoleSets(). The problem with this has been documented in this forum (ie, the authenticating EJB must itself be authenticated - it can use the 'unauthenticatedIdentity' parameter, but if the same security domain is used for web authentication through jboss_web.xml, the client is never prompted to authenticate).

To overcome this problem, I have set up two jars in the same ear file - one which uses a security-domain in jboss.xml, and one which doesn't. The latter jar contains all the EJB's required for the authentication process itself. Everything now works fine:

1. If a secure web resource is requested, authentication goes through the EJB layer in the unsecured jar.
2. If a secure EJB method is invoked, authentication also goes through the EJB layer in the unsecured jar.


My question is: is there any theoretical problem this kind of set-up might run into down the track? It seems useful to use EJB's for authentication/authroisation particularly in cases where users & groups can by dynamically assigned to roles by the application (using User, Group and Role CMP2 beans for instance). In this scenario, using the DatabaseServerLoginModule would require commit option C or D on such beans, to make sure changes in role assignments were immediately committed to the underlying data source.