This scenario comes into play when we develop an application, may be a credit card authorization, where in the service provider, which has its own web layer, so there is no need to apply authentication. but in case of a third party using the services, needs to be authenticated.
We can wrap the services with LDAP/DB authentication, but that will un-necessary for the in house application.
a)Can we implement EJB security, such that it is dependent on requester web url context. Means if reqeust is from particular url context do not apply any authentication (so that we check for inhouse app url context and force authentication for other context).
b)If the above can be achieved, what if the third party app is not a web application, calling thro a IIOP, how can we force the authentication(LDAP/DB) for all IIOP calls.
You can set things up so that if a request comes from the web layer it passes a "trusted" user/role to the EJB which always gets in. That way if the request does not come from the web layer, it forces authentication by the actual requestor.