Ok so I've been working for months now on a small demo project, and I've created a working application that runs on Tomcat and Jboss, running on remote servers, with both Web and EJB security as described below:

Tomcat 4.1.18 on Sun SunFire V100
*Small application built on Struts
*Using Security filters, LDAPLoginModule, and LoginServlet that take care of authenticating users against remote directory, and propogating credentials for EJB invocations. (as described @ http://www.luminis.nl/publications/websecurity.html)

Running JBoss 3.0.6 on Sun Enterprise 220R
*Just one simple EJB that does some simple database calls to a remote Oracle DB.
*Using LDAPLoginModule to reauthenticate users and get roles based on the propogated credentials in order to provide method level EJB security.

Not only are all the klugy fixes in order to implement remote container security a headache, but today after I got all of this deployed I tried to run a stress test with 100 concurrent users and only *9* were served.

Are we crazy for trying to separate Tomcat and Jboss? Are we also crazy for trying to implement EJB method level security with separate servers? Is anyone running in this scenario successfully?

I would love to hear any and all input.

Thanks so much,
Alan