I'm looking for a way to implement security in a J2EE environment with a servlet presentation layer and an EJB business logic layer.
In my opinion, the servlet authorization should be URL based (based on the profile of the user), the application server should also have some kind of authorization where the webserver is not a trusted application (authorization should be based on profile of the user).
Whitepapers I've seen only describe security in an EJB environment seperate of security in a servlet environment. Other whitepapers describe JAAS, but not in a web environment.
One of my requirements is that there should be a seperate application to authorize users. Should I invent my own security mechanism, or can I connect JAAS to the standard J2EE security and can I base this on my own user/profile management mechanism?