I'm wondering what is the best to do the following:

I would like to extend the standard role based access control check which is done by JAAS (based on the role needed to run the method and the role the user has), with a test that will check if the user is allowed to run the method on the given params.

What I have in mind is something like this: for each EJB I will have permission class (possibly most of them will share the same), and an interceptor that would call something like SecurityManager (or AccessController) checkPermission. I'm missing quite a lot of the picture though. Not enough that I'm not sure this is the right thing, I'm also not sure on the details of how to do it. For example, how would I map Permission class to a method in an EJB?

Has anyone done this kinda thing? any recommendation on the right way?

Thanks.