- You could prevent authentication based on a (non-existing) role, if the (custom) login module checks for it.
- But normally, if there is a user with a matching password, the user is authenticated (possibly with no roles at all). So normally authentication (user/password) is not linked with authorization (roles).
- In EJBs you can use declarative authorization based on roles (see
@RolesAllowed
) - As for EJBs: You can call
EJBContext.getCallerPrincipal()
andEJBContext.isUserInRole()
in an EJB - As for a servlet/JSP: you can call
HttpServletRequest.getRemoteUser()
andHttpServletRequest.isUserInRole()
- As for stand-alone applications, I am not aware of an API.
- So the standard API only allows to check against a role. If you want to get the list of roles, there is no official API.
Anyway, look into the source of a login module (for example: DatabaseServerLoginModule
). Then write an EJB which does the same (regarding roles lookup), and which returns the list of roles to your stand-alone application.