I know how to from-login on a javaee web application and to protect URI resource from non-authenticated users. Works.
Now, I thought about using all the Java EE security structure that is already there, simply because I want to avoid to duplicate code and make it worse. I want to avoid to create @Entity beans that are already available. Thus I want to secure my EJBs, Backing Bean, CDI beans and URI Resource. All with the same concept. i.e. I need:
Role --> javax.managagement.relation.RoleGroup --> java.security.acl.Group???User --> java.security.PrincipalAt max, I want to extend existing implementation and use a more specific implementation. E.g. User --> User with firstname, lastname, etc.
Is there already an interface User in the Java EE security or even an implementation?
Also, if a user is identified with a form-based login, can I check the user's permission also in an EJB (e.g. @Stateless)? E.g. with @RolesAllowed("admin"). Rephrasing: Does the login status prevail also for the EJB context and not only in the web context? (I mean, it's the same container, it should, right?)
There is class java.security.Principal (e.g. javax.servlet.http.HttpServletRequest#getUserPrincipal). It has getName method. You should create custom login module for your application server if you want extend Principal object with new fields.