Hi Pedro,

Yes, I'm trying to store permissions (along with everything else) in JPA entities. Right now, I'm just evaluating PicketLink as a replacement for a homebrew authentication/authorization framework we've been dragging around for a couple years. So far, I'm happy with what I'm seeing, especially the fact that you guys fixed the EclipseLink problems I reported a while back.

For the project I'm currently working on, the use case is very simple. There are users, and each user will have exactly one role. Roles will have permissions attached to them. Right now, there is only one type of resource that is permissioned: pages in a JSF UI. No permission means no access. If a role has permission to access a given page, then it can have either read-only permission (you can look at data shown on the page, but not change it) or read-write permission (you can look at and change data shown on the page).