Just checking on people's opinions on the worthiness of this and the feasability. Our current environment is JEE 6 using JBoss 6, soon to migrate to JBoss 7. We make use of EJB's using EJB 3.1. Currently, there is no Spring components in the application, but we are trying to see if using Spring Security 3.0 with ACL is feasible. The ACL checking would be performed in the EJB layer to accomplish some finer grained security at an object level. We are also using CAS as our authentication component and it will also retrieve role information. The presentation layer is REST (JBoss RESTEASY), there is no Spring MVC or any other presentation layer framework. All components are colocated on the same server within the same EAR file. I've been able to use Spring Security with the CAS authentication filter to authenticate with no problems. Still having issues getting role information...but that should be minor. The big question is, can the Spring Security Context be propogated to the EJB layer so that we can use Spring ACL Security in the EJB layer. I have not tried this, but if the components are colocated, will the Spring Context be automatically available to the EJB's, or will the EJB's need to contain their own Spring Context to load at EJB startup (perhaps a singleton bean that loads the context....). If the EJB"s must load their own context, how do they get a handle to the Spring Context from the web tier. Will JAAS have to come into play to perform the handshake between the two? This is the architecture being proposed. Why you ask. The thought process is that the ACL security in JBoss is not that great and Spring Security provides a much finer grained security. I havent' seen much on the web regarding Spring security in EJB's and my guess is that if you're using Spring...you are not using EJB's. Unfortunately, it is what it is for the department and we're trying to make this work. I know the first thought would be to remove the EJB's and make them POJO's under Spring..because EJB's in 3.0 are POJO's. Personally, I"m on board with that, but unfortunately, our architecture is being dictated for us and we cannot change at this point in the game. Any thoughts will be greatly appreciated.
It is easy in a Spring app to lookup and use EJBs, but really fun and crazy when you want EJBs to access Spring Beans in an ApplicationContext. There are a couple of solutions out there. I would Google for that first. One possible solution might be Spring <spring-configured> which allows Dependency Injection to happen to objects that Spring doesn't create but someone else does with "new"
If you can get that to work, then you might be able to hook up Spring Security at the EJB level, although, like you said, no one does that, or I should say, extremely rare cases because people using Spring realize that that is a very stupid architecture design and the architect is clueless on Spring. You can tell your architect I said that. (I worked at JBoss and with EJBs and as an Architect for many years.)
About your role issues. I have a very good guess on what your problem could be without you telling me what it is or any code or config.
Make sure when you get the data for the roles, that by default the have the string "ROLE_" prefix them. That is the default prefix in Spring Security. There is a way with the AuthenticationManager to change the prefix, or it might be the userDetailsService as an attribute in its xml tag, but I always forget where that is. So if you have just "ADMIN", "USER", etc in your data store, then you must add "ROLE_" in front of it. Back when I spent 3 days trying to figure out why my role based security didn't work.