It is possible for rich clients to make use of JAAS on the client and on the server side to perform authentication and authorization.
1. Use the JBoss client login module (org.jboss.security.ClientLoginModule) to collect the user name and password and to associate them with the caller.
2. Perform a normal JAAS login
3. Make a call to a server side EJB session bean to retrieve the roles that the current user has.
4. Use the roles returned to enable menu items.
1. Configure a JAAS configuration for you J2EE application and assign the login modules that will authenticate and authorize.
2. Program the security permissions required by the session bean methods either programmatically or declaritively.
3. Provide a method on one of the session bean methods to get the caller principal from the caller. Using this principal, retrieve the roles that the user has and return them to the client.
There are posts (made by me) on this forum concerning how to get the CallerPrincipal to contain a principal object that can be used in the session bean for just this type of scenario.
Acegi is a framework that makes security easier in SpringFramework applications. If you are using this framework then consider using the AuthorityGranter for the portion in the client that retrieves roles from the server.
Thank you very much for replying - I was beginning to loose hope. I will look into what you suggest - thanks again!