Do you guys think JAAS is a better option for Authentication and Authorization ? . The web client can also use form based authenticaton, which can then pass the principal/role from web tier to ejb tier for authorization.
I'll recommand reading IBM redbook SG246573 (free download from http://www.redbooks.ibm.com ) chapter 6 through 8, these chapters are enough generic to be applied to any J2EE server. It's really excellent, you can find all what you need to configure security in a J2EE system (declarative and programatic security, client side and server side authentication,JAAS, CSIV 2,LTPA, J2EE client and thin java client...). Best security practices are, really, well commented
Regards Marie Pierre [ August 19, 2005: Message edited by: Marie Pierre Courbevoie ]