@RolesAllowed allows one to check whether a caller principal has a certain role in a declarative way. Besides checking permissions on executed operations there is also something I call entity ownership checking. This is where you want to check whether the caller principal is allowed to update an Entity. For this I would like to use an Entity Listener since this is one of those cross-cutting concerns. But apparently it's not possible to inject the SessionContext into the listener, since it's not an EJB3 session bean I guess. Thus I'm using the SecurityAssociation.getPrincipal/getSubject to gain access to the caller principal and roles in order to perform the entity ownership checks. Is it OK to use the SecurityAssociation for this purpose?