IANASE (I Am Not A Security Expert) but, IMO, EJB3 interceptors give you the potential to define a declarative security model on top of any underlying security infrastructure you like.
But it was my impression that JBoss security is so pluggable that there are other places you can customize the container managed security used by EJB3.
EJB3 interceptors give you the potential to define a declarative security model on top of any underlying security infrastructure you like.
Yep. Which is why I thought SEAM (which uses servlet filters and ejb3 interceptors) might be an ideal place to provide an easy to use security model. I think 80% of web applications probably have the same basic security needs.
I guess it might be interesting (and easy) to integrate Acegi into Seam. Christian says it is good, and better than JAAS.
One benefit of using the JBoss container security (JAAS) is that one can easily control the rendering of Tomahawk components through the JAAS roles (e.g. enableOnUserRole):
enabledOnUserRole="TopicalManager" id="nestedSet">Nested Set</t:commandLink>
However, I still have to verify if access to all secure JSF resources are really controlled (don't know how much the fact that the URL in the browser does not get updated will impact on the defined-url pattern in a security-constraint in the web.xml).