On my current project we were recently faced with an interesting security issue.  The heart of the problem was that we had a set of secured EJB 3 services that needed to be called from a jBPM engine in the same container that for various reasons was not in a security domain.  Here I'll go over the way we chose to solve the issue and show some snippets of the "proof of concept" unit test.

The solution we eventually came to involved using an EJB 3 interceptor to inject a custom system principal around any BPM "actions" that needed to call secure services.  This approach allows the interceptor to be reused for any unsecured system components and is configuration driven, as we'll see later.