Hi,

we intend to use brokered authentication in a multi-layer architecture (Web/BPM/Services/Persistence).

Brokered authentication manifests itself in all layers - no layer trust another, but any layer may validate the security token passed with the calls from one layer to the other.

Typical scenario: User logs in, receives security token, calls services (with token), calls jBPM, which in turn calls services with token.

Questions:
a) is there support for brokered authentication in Seam ?
b) is there support for transparent brokered authentication in jBPM ? Recall that jBPM would have to validate the sec token from the Web layer, and then subsequently transfer this token when it makes calls to the services layer with that token - security at the jBPM level is in fact the part that gives me the most headaches
c) our services are for now implemented as stateless session EJBs, but should be easily migratable to web services later. For this, we implement "generic" calls to services. They include a request, a security token, and other contextual information if necessary. The implementation of the generic service call is for now designed for EJBs. It will however later maybe alter to support webservices, and use web services security. Whatever the scenario, the 3 objects passed (the request, the security token, and contextual information) is enough I guess.

What's the best way to making those components play together ?

Kind regards,

Jay