i'm thinking of a custom JAAS loginmodule, which delegates the login logic (close account after three failed tries, and so on..) and the data access to a stateful session/entity bean.
what do you think about that thought?
There are many issues w/ this, mostly bootstrap.
Is this a local login module for a server or a login module for a client.
if client, the login module must communicate w/ the server securely (to prevent passwords from going over the wire in the clear). This means it needs SSL.
Second, to prevent other clients from accessing the bean (this is local or remote), you will need method permissions on the bean which means you will need username/password authentication. So, the question then is what LM do you use for that!
Third, if the server uses this login module at start up, then it won't have the EJB available at start up time (since the server's not up yet!).
Other issues are related to malicious attacks (somebody removing the EJB's reference from the JNDI tree, for eg).
In summary, not something I'd recommend.