Howdy,
Because our AJAX (vaadin) application needs to load anonymously, and the url
doesn't distinguish what the user is trying todo and as such we can't use
url-pattern's.
What needs to happen is, the AJAX callback is received by a servlet. This
will end up executing somewhere beyond the servlet. Only the executing code
is aware of the fact that this is a login request (can't use filters afaik),
and at this point we have a user+pass. Here's where my problem lies, what I
need to achieve here, is to authenticate the user in such a way that the
user is also visible/used in the EJB 3.1 security context/scope (and CDI).
After this, I'm heading in this direction.....
Providing I can get beyond this. I also need to pragmatically determine if a
user is a particular role. Examples:
* Is the current user a member of the "Life Membership" ldap group?
* Is the current user the @Owner of this "UserProfileBean"? If yes/no...
@Produce/_at_Inject them with the appropriate user interface impl or restrict
access on what they can do to a UserProfileBean.doXXXXXX();
Help would be appreciated, I'm lost :)