we provided the in-memory policy provider to make it easy to solve some of these problems, and I am happy to see that you have made great progress in that regard.
We intend to further refine the provider to make it easier to extend, and to show people how on might realized an instance scoped container access control system.
wrt to entending the provider to support instance scoped access control, ayk, jacc provides the EnterpriseBean policy context handler. You may encounter issues, but I think you could try to achieve your objective by revising the doImplies method (of SimplePolicyConfiguration) such that it uses the policy context handler to acquire the EnterpriseBean (when the permission being checked is of type EJBMethodPermission).
EnterpriseBean ejb = PolicyContext.getContext("javax.ejb.EnterpriseBean");
then you could have your JACCRoleMapper implement an additional method/interface to determine if the current caller is in the role wrt to instance; something like
roleMapper.arePrincipalsInRole(id,principals,role.getName(),ejb);
which you would call when ejb != null, ejb instanceof EntityBean, and rvalue != 1.
some time has passed since I did anything like this, so please let me know what you find.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=349439