I cannot answer your question 100%, but I think I can give you hope.
I seem to remember reading about creating SecurityInteceptor (s) for your Beans. I don't know if I have the name correct, hopefully someone can intercede here. Anyways, inside the Interceptor(s) you write the code to determine if the current Principal has access to the bean's methods.
I thought I had read this in the JBossBook, but in perusing it just now, I couldn't find it. Only thing I could ifnd was on page 268, where there's a diagram showing... I'll do some more research and post my findings here, as I need to figure this out soon anyways...
AHA... I found it...
In this Javaworld article...
Here's the abstract:
The current EJB (Enterprise JavaBeans) specification supports basic declarative, role-based access-control mechanisms, but provides limited support for coding application-specific security checks. Moreover, it doesn't define any way to factor out access-control code from business logic, or to integrate external authorization services. The open source, J2EE-compliant (Java 2 Platform, Enterprise Edition) JBoss application server features a protection-proxy security architecture that will help you overcome these restrictions. (4,500 words; February 15, 2002)