After many readings and prototypes, I'm currently using the approach described in the last post of http://seamframework.org/Community/SeamAndSecurityContext.
But I'm wondering if this is the solution everyone uses. So my initial question is still open: how to secure an application running in an EJB3 container and using Seam mainly for the webapplication? Does anyone have a recommendation? I can't believe that everyone reimplements the security features and uses a self-developed framework.