We've recently moved our servlet + ejb appliation from JRun4 to JBoss 3.0 with Tomcat.
I have a question about how JBoss checks roles. With JRun (which uses JAAS) it only checked for a particular role if that role was actually requested (isUserInRole("foobar")). So if a user only used a portion of the web site that required 2 roles to be used, then only those two roles would be checked.
JBoss seems to check all roles at login and then cache them. Our web site has about 80 defined roles (some which are dynamic and expensive to compute). Most users only use have a small subset of those roles. So if those users never try to access a portion of our site which requires a role they don't have, then those roles should never even be checked (at least that's how JRun worked).
Is it possible to configure JBoss to operate in the same fashion so that roles only get authorized if they are specificly needed?
Thanks for any insight!