Hi I'm relatively new to JBoss security and I'm running into a problem that I can seem to figure a way around.

I want to create a webapp that allows users differing levels of access for the same principal, depending on how they authenticated.

For example, if the user has clicked the typical "remember me" button and logs back in using a cookie, they should have guest access levels until they provide a password.

If the user has entered a username and password, they should be allowed access to almost all methods of the underlying EJBs for the duration of their HTTP session.

In some cases, such as making a purchase, they'll have to provide their password then and there, essentially making a third level of access that exists for the duration of the HTTPRequest.

My idea was that each level would be reflected by different roles (in increasing access order: "guest", "user", and "verified"), but the user principal would remain the same.

Essentially it's been designed so that the less secure access levels have longer durations. E.g. "guest" last for the duration of the cookie, "user" for the duration of the session, and "verified" for the duration of the request.

It is possible therefor to have multiple threads servicing EJB calls in JBoss all with the same principal, but with different role sets.

As far as I can tell though, there is only one user-to-role-set mapping per security domain. Thus indicating that I'd have to have 3 different servlet containers each with different security domains? is that right?

I've pretty much given up on using Jetty authentication at this point. My plan is now to implement a Filter that does the authentication for my servlets using JAAS. But there's still the question of how to get JBoss to handle the differing levels of access.

Any help on this topic or creative alternatives would be greatly appreciated.

Cheers,
-Jeff