All current EE containers are required to support identity progagation on ejb invocations originating in a web container. It sounds like you would like to propagate additional identity attributes. The underlying protocol, i.e. CSIv2, allows for inclusion of an authorization token in addition to the propagated identity token, but support for authorization token is not included in the corformance level that EE containers are required to support.
if you can modify your app topology such that the web and ejb tiers are in the same process, then we can factor out propagation on the wire, and the ejb tier will effectively see the security context as established by the web-tier. I realize this may not be possible, although it may be possible for you to forward requests from an external web-tier to an internal web-tier.
I believe the suggestions made by ken will provide you with a way to operate on the message headers at both ends of the dialog. If on the ejb side, you want to include the cookie in the container authentication identity; as applied in the ejb access decision, then you would need to find a way to interpret the headers in advance of the service ejb, and you would need to use the appropriate api' to effect the container authentication context.
you probably have already ruled out having your web tier component, extract the cookie, and pass it as an argument in the ejb invocation. In this case the cookie would be seen by the server side, after the ejb access decision, so as above you would probably need to have a gateway ejb (sort of like the gateway web-tier I suggest above) if you want the cookie to be set in the authentication identity applied in the container access decision prior to invoking the service ejb.
In a Glassfish container, another approach that *might* work, would be to configure a custom web-tier authentication module, such that the identity resulting form the webtier authentication and propagated within the identity token includes the cookie value. then, at the ejb container, you might then be able to configure a custom realm, that is able to decompose the token, and transform the cookie part into something like a group name.
this last approach will likely require deep knowledge of the token formats and the
way the glassfish infrastructure processes them, and may be difficult to support on other appservers.
Ron
bytw, configuring custom web tier authentication modules is something that is relatively easy to do in Glassfih
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=276295