You are right. Deploying a full user directory on each client is not a good idea. Don't you have a 'global' directory availabe? So you can use e.g. LDAP.
For production we intend to use a directory service. But then it must be reachable from the client.
However, would the design allow a client login module (i.e.
a ClientUsersRoleLoginModule) which can directly delegate the login check to the app server?
> Using the
> ClientLoginModule the call LoginContext.login() seems
> just to store the login credentials.
That is right.
> It does not
> perform a real login request to the server. Just at
> the moment the first EJB activity is initiated the
> security check is done.
That is because there is no such thing as "doing a login on an EJB". The security check has to be done on any EJB call (not just the first).
> Is it possible to perform the "real" login while
> calling LoginContext.login(). Using the
> UsersRolesLoginModule on the client I get the
> requested behaviour, but it means I have to deploy
> users.- & roles.properties files on each client :((
Yes, this is the way to go; this is how JAAS works. You configure an additional login module that performs the check you need. There is no need to stick to UsersRolesLoginModule: you can use a module that actually performs the login check on the server.
Another option that might better suit your needs is to call a (dummy) secured EJB method at the moment you want username/password to be validated, e.g. when the user logs in into the java client.