Thank you very much for your reply.
I have the authentication in place using the Servlet configuration and j_security_check to deny access to protected resources. After this I do have a Principal available, which I thought was related to JAAS?
The complexity comes from the fact that the user belongs to multiple groups, a group is a collection of permissions for a specific client. So the user can belong to group A for client A but also to group B for client B. Group A contains a permission that allows him to create <something>, but only for client A.
The idea is for the user to authenticate and then select which client he is currently doing work for. If he selects Client A then he should only have permissions associated with Group A. It is this part that made me think that I need JAAS and maybe JACC.
Initially I was hoping to create the principles for the permissions. Theses principles would contain the permission and the client. I intended to remove/deactive all principles not relating to the client he selects when he selects the client. In this scenario I would not need to mess with JACC. Unfortunately it seems almost impossible to do this.
When I abandoned hope on the above mentioned approach I though I could extend EJBMethodPermission to bring into account the client selected and the client in the Principle to decide if access is allowed.
So, none of the above is needed? That would be great.
How would I assign him roles after he has logged in if I am not doing it in the LoginModule?
[Message sent by forum member 'drfranknfurter' (drfranknfurter)]
http://forums.java.net/jive/thread.jspa?messageID=293559