I'm building a web application in Java EE 6 which is deployed to JBoss AS 7.1

I am using security at beans level (using @RolesAllowed({ "useradmin", "usernormal" }) annotation) and at the front end level (securing xthtm pages int the web.xml).

The authentication is done in JBoss, using its user management or LDAP (just a config change in the standalone.xml).

The whole security framework is working perfectly, even too well if dare say...

Problem

I also have a scheduler using the Java EE TimerService. It can accept different type of jobs, that can be scheduled later in time (original feature for a scheduler...).

I start having problems when the scheduler needs to run jobs that use some business logic beans, which are protected using the @RolesAllowed annotation. In that case, the security framework does its job and denies access to the scheduler.

Questions

• Is there a way to programmatically give security privilege to my bean containing the scheduler?

• Is it possible to fake an http session for the scheduler?

• If so, what are the best practices to store login/password? I imagine it would be quite bad to hardcode them in a static variable...