The declarative security model defined in the J2EE platform does not suit us because we like to allow the superuser of the application to dynamically assign which EJB objects and methods are allowed for each role.
I have been looking into the security proxy feature of JBoss and I think I might be able to use it to dynamically manage the ACL for each EJB object access.
I like to know if any1 else has worked on something similar and may be able to comment if I am on the right track?
Its certainly one way. You can just as well use a custom ejb interceptor as well.