declarative authorization in Java EE

is there any declarative way in Java EE to restrict method calls based on both the caller and the target entity?

Let's say I have开发者_Python百科 a Forum object and a user set with the Moderator role, but this is on a per-forum basis. The moderator is the only one that can call the deletePost() method on the Forum entity, the others can only post their own.

Please ignore Spring now; let's stick to Java EE 6 preferably with Glassfish, but I'm open to WAS too.

I can't see how this could be done. Maybe a combination of interceptors and instead of using the entities directly, use a SLSB. I don't like this, tho.