Hi, Going further with the Bigbank scenario I have now split up the three different accounts - Savings, Stock and Checkings into individual composites.
The checkingAccount service is exposed as a webservice and is enabled for authentication. Now I am trying to incorporate authorization into the checkingsAccount implementation i.e. allow access of account information only to its owners. The authentication of users happens at the wsBinding and the authenticated principal must now be used for authorization by the checkingsAccount java implementation. I spent a bit of time exploring how I could fit in a JAAS into this scenario and just could not figure out a neat fit. JAAS authorization seems to be good when we are treating things as just java resources. But over here it seems to me that we are doing things at the application layer. So for now I plan to resort to a more higher level authorization where I plan to maintain a access control list that will provide a list of which user owns which account. With this, I am figuring out how the authenticated principal could be passed over from the wsBinding to the javaImplementation. Obviously the Message object seems to be the only viable carrier and am trying somethings around that. Will post next on what actually works at the end of all this. Meanwhile, thoughts / suggestions ? Thanks - Venkat