This is actually spawning from a thread I started in JBossWS, but now it is more appropriate to be located in this forum.
I still don't understand quite yet. I have three questions.
1. What documentation exists that explains how to write a custom security interceptor?
2. Can I use BASIC authentication with a custom security interceptor?
3. Finally, where do I find documentation on SecurityProxy?
I have checked the Wiki, there doesn't appear to be anything there on these. Also, I've read the very solid HOWTO documentation, linked from the Wiki, but that explicitly reads:
The security-proxy element identifies a custom security interceptor that allows per-request security checks outside the scope of the EJB declarative security model without embedding security logic into the EJB implementation. I won't go into detail about that JBoss-specific feature, as this article focuses on using JAAS to implement the standard declarative security model.
1+3 discussed in the online admin devel guide.
2 is not revelevant. The web tier authentication is handled by the web container and after that is propagated as a principal and credential that the security domain associated with the ejb will have to validate. The type of authentication on the web tier does not affect an ejb security interceptor.