Concerning your first question, I suggest you do a "ROLE" table, with one role per user per row:
Concerning your second question. Using a custom LoginModule is not really interesting:
- I don't think it will be able to look at the EJBs in your EARs
- It will not provide a great performance improvement (JBossSX caches the principals/roles for 30 minutes)
- The DatabaseLoginModule is already there to do this kind of job.
What you could do (and that's what I've done at work), is to create EJBs to manage your users/roles, and to use the DatabaseLoginModule to run SQL queries directly to your user/role tables.
Thanks Julien, I swapped my method-permission and role from
* @ejb.permission role-name="admin"
* @ejb.permission role-name="viewer,operator,ntwadmin,admin"
and it did the trick.