I was wondering what the best approach would be to declaratively secure
web services by user and / or group. Our web services invoke methods in stateless session beans under JBOSS 4.00.

I have looked at the asegi security framework for Spring which uses
a ThreadLocal based security context. This requires that the login method and subsequent method calls use the same thread. This of course works well for web apps since servlet invocations in the same http session use the same thread in the servlet.

But in my ejb web service test app I noticed that web service calls to a session bean can run under different threads (in the session bean) even when methods are called one after another from the same client.