I'm working in a project where there?s a requirement that the user must be able to assign users to dynamically defined groups. These groups are constituted in terms of the actions they may perform in the system. The most flexible way of doing this and still leverage ejb declarative security mechanisms would be to create a role per ejb method(action), which sounds a litle cumbersome.
Can anyone's experience advise on better practices ? would you recomend programming security proxys instead ?
Thanks in advance.
I would look at creating a custom java.security.acl.Group that was used as the Roles group in the authenticated subject to allow for use of the declarative security as a start.
You could certainly use custom interceptors to add arbitrary security if this does not work.