The problem:
I've written several EJB3 soap services that need to be secured by the PortalRealm security domain. When someone is logged into the portlet they can use the soap services... not logged in? no soap for you.
The woe:
No ClassLoaders found for: com.liferay.portal.security.jaas.PortalLoginModule
Which seems innocuous enough until you realize what would be entailed in fixing the class loader problem. I would need to either make my project a direct extension of Liferay or I would need to alter Liferay to extend a custom security module.
Neither solution is good. It would be better if Liferay used a common container managed security system. Perhaps my solution is to somehow combine the realms.