Hi! First of all, I would definitely go with your second alternative with multiple session beans, each one responsible for a specific service.
Have you had a look at Spring Security? http://static.springframework.org/spring-security/site/index.html If you want to create your own security solution, the EJB 3 specifications does not, to the best of my knowledge, contain anything on programmatic login - that is, how to programmatically set a user principal (something I suspect you will have to do). To find information on such things you have to go outside of the EJB container, for instance to Glassfish. For an example, see the section on Programmatic Login in chapter 5 of the Sun Application Server 9.1 Developer's Guide. Best wishes! Ivan A Krizsan
