I have a Java EE application (simple web GUI, a large EJB 3 business layer, JPA) whose most functions depend on the currently logged-on user.
Because of this, the EJBs are infested with omnipresent String userName parameter. You can hardly find a non-trivial method that goes without it, and it descends all the way down to the most basic EJBs. Occasionally it is supplemented by other session-related parameters, like user's locale.
As a result, parameter lists grow and code clarity suffers. It's probably a common problem, how to avoid it? Pushing more code to the GUI client seems even crazier idea.
Java EE has support for security context propogation across various layers. For e.g. checkout various methods on the EJBContext related to authentication/authorization such as
getCallerPrincipal(),isCallerInRole(). I suggest you read the below two articles