I was surfing the other day and found a post on Frank Nimphius' web log. He writes about Oracle and also about security in J2EE with an Oracle slant. So I check out his site from time to time. I found this post entitled J2EE security: Dynamically show/hide UIX components based on an isUserInRole() J2EE security evaluation. This is an interesting post from Frank.
The post starts by referencing a new paper that he has recently written called "J2EE Security in Oracle ADF Web Applications". This is a 54 page paper and focuses on applying J2EE security to web applications built with the Oracle Application Developer Framework (Oracle ADF) and Apache struts. I have not read it yet, i will do tonight I hope but from skimming it after downloading it looks very interesting.
Franks blog entry is about how dynamically show / hide UIX components based on the users J2EE security role membership. Frank says that he shows how to do this in his paper for JavaServer pages using the struts request tag library. This is not possible for UIX pages. Frank goes on to explain how to do this with an example that uses Expression Language and an indirect way of accessing isUserInRole().