JBoss allows for a login module to install a custom principal that can be cast to the custom type. This is complete undefined by any spec though, so if you want portablity the extended security information would have to be part of the ejb call data.
Can you tell me which loginModule exactly ? Becos I am also facing a similar situation..Also should that custom Principal class file be bundled with the ear ?
I am using a custom built login module. I am still in the process of development but yes I am expecting to bundle the login module and the custom principle with the ear. This will be interesting though as I am half expecting classloading issues. However if this is the case I will adopt the same principle as the jbosssx jar and put it in lib since our login module will be used by many ears and I am happy with the wider scope in this case. Are you having issues with this?
The other problem I am expecting to face is the propagation problem. My custom login module returns a bespoke caller principle identity however I am unsure whether I will have problem with the ClientLoginModule which just transfers the username and password.
If this is the case how can i expect my EJB's to get access to bespoke called principle on subsequent EJB invocations. Does JBoss use the username to locate the original principle?