Correct me if I am wrong, but I believe ejb's are still secured by containers. You can set up a declarative security policy with use of xml tags in the ejb-jar.xml for the container or roll your own with JAAS. If you are using JAAS then acegi security is out of the question. If you are using xml tag based security in the web.xml/jboss-web.xml, then the security context is propagated to the ejb container by jboss. In this case too acegi security is out.
Cut to the chase, acegi cannot be used for ejb's. It is a filter based HTTP protocol authorization/authentication mechanism. Good for web resources & ensures web container independence. For ejb's you got to rely on container for security & as I said before containers provide 2 ways to secure ejb's ( xml tags based & Jaas based ) ...
in my case i have the same requirements, i have an ejb3 container (Jboss 4.2) an a classic EJB3 implemetation. I want to secure the methods of my EJB's by Spring Security. Furthermore i have a rich client application which acces the ejb components with JNDI lookups. So I can't use filter based HTTP protocol autorization/authentication.
A solution for using Spring Security without web stuff u can find here:
But that's not everything. I have the problem that i don't know how i can secure the methods within the context of a JNDI lookup. Actualy the Spring IoC Container have to handle the MethodSecurityInterceptor aspects. But I dont' know how i could configure it in the way to stick it together...do anybody have similar requirements?