I'm working on a suite of status and control applications for embedded devices based on JBoss. I want to leverage as much of the built-in security framework as I can. But, I'm having a hard time getting my mind wrapped around the capabilities. I've read the security section in "JBoss 4.0, the Official Guide." And I've played with example 2 in that chapter. On my first read, I thought that the Principal object in the LoginContext in my client would be updated with the information retrieved on the server side by the LoginModule. Specifically, I'd like to be able to query the LoginContext in my client after authentication to retrieve the user's Roles. But, after hacking example 2 a bit, it doesn't look like the client side LoginContext is being updated from the server side. I assume that would happen in a stand-alone JAAS application? But, JBoss hasn't fully implemented that functionality in the client\server architecture? This is unfortunate. In my client applications I want to be able to limit the user's choices in the UI to prevent them from requesting operations they don't have access to. For example, I may have admin users and normal operators. So, I wouldn't want my operators to see a bunch of widgets for admin functions. I'll need the user's list of Roles in the client for this. So, it would be ideal if the Principal in the client's LoginContext were updated with the information gathered by the server-side LoginModule. Is this supposed to happen and I just have a configuration problem? If this feature just isn't implemented, any thoughts towards implementing it some day? I have a few thoughts about a work-around to get what I need. Basically, I'll just have to publish a method from an EJB on the server to retrieve the Roles manually. But, I just wanted to check to make sure I'm not missing something before I go down that road.

Thanks in advance for any help or suggestions.

Eric