I may have diwscussed this with you before. there could be a custom realm that performs authentication (for the appserver) by attempting to connect to the database as the intended user. given a specialized connection manager, the resulting connection could then be used to interact with the database on behalf of the user.
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=281408