I'm very interested in mechanisms for supplying instance-level security to a J2EE application using EJB3. Do I have to do that programmatically, or are there new specs for that?
Example: I have a shopping cart with a set of dvds (taken from the dvd store demo). However, I want to be certain that a user only has access to his/her shopping cart and cannot add dvds to other users' shopping carts by manipulating identifiers in the requests. This issue is cleverly avoided in the demo by using single-point programmatic authentication at the web tier, which is running in the same JVM. Suppose that the web tier is not trusted, however, or even that there is no web tier - the EJBs are exposed through web services or RMI/IIOP to client apps. Do I need to recode the EJBs in some way (possibly plugging in a framework similar to Acegi for the app layer), or has the JBoss team already thought of such problems?