In JBoss 4.0 and J2EE 1.4. Stateless Session EJBs can be exposed as web services. You can propagate principal and credentials using basic auth, but the spec really doesn't specify security semantics.
Security isn't difficult to write as an aspect, but what is difficult is plugging in how the client propagates the message. You could specify JAX-RPC handlers on the client and server side to add to the SOAP envelope and propagate security.
Bill, first of all, thanks for your attention!
Well, I really noted that there is a possibility to do what I want! This is a big goal to me! Where I can find some documentations ou tutorials about the development of "Aspect Web Services" in Jboss? Docs about EJB was going exposed as Web Service? And "first steps" in EJB +AOP!
There are many people here in my job that wait for your replies. :]
You will have to write a Handler to propagate principal and credential information.
If you want role-based security at the POJO level, check out these aspects: