I'd like to be able to create an environment in which the doesUserHaveRole checking uses rules rather than an enumerated list of string equivalents (I can discuss the reason in more detail if anybody's interested). I propose to implement this feature as follows:

1. Create an extension of SimplePrincipal called (say) RoleCheckPrincipal.

2. Modify SimpleGroup.isMember() as follows:
a. If the parameter "member" is an instanceof SimplePrincipal, replace it with an instance of RoleCheckPrincipal that has the same name.
b. Rather than use members.containsKey(), explicitly iterate through the key set and call key.equals(member) - that is, ensure that the equals() method of the key that's in the members map gets called, rather than the equals() method of the member parameter.

This allows me to implement a rule-based role check as follows:

1. The appropriate LoginModule builds a special Principal object with an equals() method that implements the rule check.

2. If the parameter to this Principal's equals() method is an instance of RoleCheckPrincipal, then the Principal performs the rule-based check; otherwise it does something sensible, like returning an equals() comparison on its own name.

The point of this is to allow the equals() method in the special principal to "know" whether the method is being called in the context of an isMember() check or some other context. In turn, this allows the special principal to decide whether or not to trigger its rule-based processing on the incoming parameter.

Note that since the RoleCheckPrincipal is an extension of SimplePrincipal, all existing code that depends on seeing a SimplePrincipal in the equals() method will work unchanged.

1. Given that I want to support a rule-based doesUserHaveRole check with a minimum of changes to existing JBoss coding, does this approach make sense? Does somebody have an alternate approach to achieve the same end?

2. If this seems like a reasonable thing to do, shall I post the modified code here for inclusion into the JBoss code base?