I am trying to implement security for the following architecture:

• Web tier: Tomcat 7 app server using GWT.
• Back end: JBoss 7.1 app server using EJBs and JPA to persist data. EJBs are consumed remotely by the web tier.

I am thinking of using JBoss security, which involves:

• Creating a security domain in JBoss via login-config.xml
• The security domain uses a DatabaseServerLoginModule to retrieve data from a MySQL db in terms of username/password and roles.
• Authorization: EJB based security by annotating my EJB methods with @RolesAllowed.

I made this working before in a single JBoss and configuring web.xml in JBoss’ Tomcat. Then jboss-web.xml to bind my web application to the security domain that I have created in JBoss.

My concern is now how all this works using two separate servers: a Tomcat web container that makes remote calls to a back-end JBoss. My questions:

• How can I make my Tomcat aware of the security domain defined in the remote JBoss (if possible at all) so that it delegates to JBoss the task of looking up for the credentials in the DB?
• If my GWT components call the remote EJBs, how can I propagate the security credentials from Tomcat to the remote JBoss (principal, password) in a way that I don’t have to specify those in each call?
• Is this feasible at all? Are there other alternatives out there that can make my life easier in this scenario?