Just checking on people's opinions on the worthiness of this and the feasability. Our current environment is JEE 6 using JBoss 6, soon to migrate to JBoss 7. We make use of EJB's using EJB 3.1. Currently, there is no Spring components in the application, but we are trying to see if using Spring Security 3.0 with ACL is feasible. The ACL checking would be performed in the EJB layer to accomplish some finer grained security at an object level. We are also using CAS as our authentication component and it will also retrieve role information. The presentation layer is REST (JBoss RESTEASY), there is no Spring MVC or any other presentation layer framework. All components are colocated on the same server within the same EAR file. I've been able to use Spring Security with the CAS authentication filter to authenticate with no problems. Still having issues getting role information...but that should be minor. The big question is, can the Spring Security Context be propogated to the EJB layer so that we can use Spring ACL Security in the EJB layer. I have not tried this, but if the components are colocated, will the Spring Context be automatically available to the EJB's, or will the EJB's need to contain their own Spring Context to load at EJB startup (perhaps a singleton bean that loads the context....). If the EJB"s must load their own context, how do they get a handle to the Spring Context from the web tier. Will JAAS have to come into play to perform the handshake between the two? This is the architecture being proposed. Why you ask. The thought process is that the ACL security in JBoss is not that great and Spring Security provides a much finer grained security. I havent' seen much on the web regarding Spring security in EJB's and my guess is that if you're using Spring...you are not using EJB's. Unfortunately, it is what it is for the department and we're trying to make this work. I know the first thought would be to remove the EJB's and make them POJO's under Spring..because EJB's in 3.0 are POJO's. Personally, I"m on board with that, but unfortunately, our architecture is being dictated for us and we cannot change at this point in the game. Any thoughts will be greatly appreciated.