Is there any way that I can use a third party security infrastructure plugged with an App Server to secure my EJB instead of the declarative security features provided by the App Server
So app Server's provide a security implementation on a per component basis, which is a pretty cool deal. I'd suggest you use it. But there are a ton of 3rd party security products out there for authentication that you can hook into for Nteir products.
It should look like this:
1.)Authentication handled by 3rd party
2.)Security roles and definitions setup in 3rd party
3.)Roles mapped over as appropriate to the EJB domain
This is usually going to be used in a situation where you want to manage a single sign-on, and the enterprise application your writing is a small piece of a much bigger enterprise network. If your just writting one application, use the container. Sun actually has a good top level document on this here:
Don't get a 3rd party product to try and solve the problem of not knowing how to work with the app server security.