Just in case anyone is ever looking for ideas, I figured I would post my solution to my problem:
Once a user has logged into my application and is authenticated, I store a MD5 hash 'login_key' in flex user model. This key is created by coldfusion and saved into a table that logs the association of user_id to that key.
When the user runs a report, I pass their login_key in the URL parameters. I have a j2ee filter that grabs it, runs a query first to see if it's valid, and then to verify the user_id associated with that key actually has access to the report parameters it is requesting (just in case some users make some changes to the url string). I added my new filter jar file (aptly named BirtSecurityProject.jar) to /usr/jboss/latest/server/default/, and then updated the web.xml file found in /usr/jboss/latest/server/deploy/birt-viewer.war/WEB-INF with the following:
<filter>
<filter-name>ViewerFilter</filter-name>
<filter-class>org.eclipse.birt.report.filter.ViewerFilter</filter-class>
</filter>
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>com.mycompany.security.BirtSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ViewerFilter</filter-name>
<servlet-name>ViewerServlet</servlet-name>
</filter-mapping>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<servlet-name>ViewerServlet</servlet-name>
</filter-mapping>
As long as the user is authenticated and passes the check, then reports run fine, otherwise they get a nice "you fail" message
Thanks,
Amanda