What I would like to be able to do is this:
1. Not use JAAS for authorization, only authentication
2. Instead what I would like to do is write my EJB3 interceptor for authorization
3. This interceptor would create an MyEJBMethodPermission, and would call the Security Manager with it.
4. What would the MyEJBMethodPermission do in its implies()? it would extract from the method parameter some information, from there and additional user information would infer what is the relevant user's role, and compare this role with the role that is needed for the method to execute.
My questions are these:
1. Can I extend EJBMethodPermission, and still use JAAS for authorization somehow?
2. If not, can I disable JAAS authorization and do as I described above?
3. Any other recommended way of getting this effect?