Here's an article that describes how it could be done by extending JAAS.
"Extend JAAS for class instance-level authorization"
The fact that it is based on JAAS may or may not fit your situation.
We have also developed something similar (non-JAAS), that enforces different rules/constraints based on the users security role.
The general pattern I see here is that your code must explicitly check for authorization, by delegating to something like an "AuthorizationManager", passing in something like:
- desired "function" (ie. update, withdraw, etc)
- target instance (ie. an account)
Our implementation extends this by discovering the clients security role, and enforcing different rules based on that role.
The rules themselves generally have to check various business relationships in order to make the decision (ie. is the caller the owner of the target account).
No App Server will ever be able to do this for you, because these kinds of constraints are generally business rule based (ie. is the caller the "owner" of the account?, or if the caller is in the "superUser" security role allow any, etc.)
Hope this helps.