1) Should be doable via a custom Group added by your login module that responds to role changes while its cached.
2) Should be done by creating a patch that exposes the container method permissions via jmx. It could also be done by modifying the existing org.jboss.ejb.plugins.SecurityInterceptor.
Thanks for the answers Scott. about (3) I see that instance-based security has been rolled out of J2EE 1.4 specification but is beeing looked at for EJB3. does JBOSS have any plan for such support and do you know of any white paper I may look out ? I'm sligthly wondering about implementing some code that will get J2EE-obsolete in few years.
What instance based security are you referring to? Interceptors are the basis for adding arbitary security checks and these may be standardized for ejb3.
I agree this can be done today but looks to me this is going to be part of the J2EE framework in the future. I'm referring to J2EE 3.7.2 "Instance-based Access Control" in the following document:
Designing today for this empty statement is pointless:
J2EE.3.7.2 Instance-based Access Control
Some applications need to control access to their data based on the content of the
data, rather than simply the type of the data. We refer to this as “instance-based”
rather than “class-based” access control. We hope to address this in a future release.