Container Managed is all I need. It does the things I want, and does it nicely. JAAS is overkill.

Problem is.

1) This method of security wants to use a UserName field in the user table (what the user enters, which would be a business key), and not the real key. Sure, I can make a unique contraint/index on it. It still would be nice if Hibernate and it agreed on what to look for as far as keys went, but this isn't the real annoyance (it is the root cause probably).

2) It wants to look up the security roles for the users in a role table. In this case though, the roles correspond to the object hierarchy I am using in my app.

Every type of user is some flavor of a UserEntity object. UserEntity is subclassed into User, Admin, Rep, etc. These happen to be what the roles would.

It would be sweet if I didn't have to denormalize the object model into a Role table (which also uses the wrong #@(@#@ key!).

I'm sure someone has been similarly annoyed about this as I have. Short of going to JAAS, what's the best way around it?

Bueler? Bueler? Anyone? Anyone?

The biggest pain about this is that the Hibernate Mappings I have are going to be wrong for updating the tables involved in declarative security. I either have to use JDBC or (I guess) create different mappings for the same tables (???).

Is there no better way?