EJB 2.0 and JBoss provide for the same security for each object in any EJB class.

As a part of a project I am currently working on, we need to provide security that can vary from object to object. The access control we need is similar in generality to an operating system - i.e. the ability to specify roles a user has on an object or a collection of objects.

Has this been done before with JBoss? Do you know of any open source or commercial code that is available to implement this sort of thing? Any advice on how best to do this?

I can see that we can do what we need by providing our own SecurityProxyFactory and/or SecurityInterceptor. Are these reasonable approaches?

Bill Alexander