Hi Lucy, that's a good point.
There is a good article on javaworld about that:
http://www.javaworld.com/javaworld/jw-08-2000/jw-0825-ejbrestrict.html The following is a list of Java features that you should avoid, hence restricting their use in your EJB components' implementation code:
Using static, nonfinal fields. Declaring all static fields in the EJB component as final is recommended. That ensures consistent runtime semantics so that EJB containers have the flexibility to distribute instances across multiple JVMs.
Using thread synchronization primitives to synchronize multiple instance execution. By avoiding that feature, you allow the EJB container flexibility to distribute instances across multiple JVMs.
Using AWT functionality for keyboard input/display output. That restriction exists because server-side business components are meant to provide business functionality that excludes user interface and keyboard I/O functionality.
Using file access/java.io operations. EJB business components are meant to use resource managers such as JDBC to store and retrieve application data rather than the file system APIs. Also, deployment tools provide the facility for storing environment entry elements (env-entry) into the deployment descriptor, so that EJB components can perform environment entry lookups in a standardized manner via the environment-naming context. Thus, the need to use file system-based property files is mostly eliminated.
Listening to or accepting socket connections, or using a socket for multicast. EJB components are not meant to provide network socket server functionality; however, the architecture lets EJB components act as a socket client or RMI clients and thus communicate with code outside the container's managed environment.
Using the Reflection API to query classes that are not otherwise accessible to the EJB component due to Java's security rules. That restriction enforces Java platform security.
Attempting to create or obtain a class loader, set or create a new security manager, stop the JVM, change the input, output, and error streams. That restriction enforces security and maintains the EJB container's ability to manage the runtime environment.
Setting the socket factory used by the URL's ServerSocket, Socket, or stream handler. By avoiding that feature, you also enforce security and maintain the EJB container's ability to manage the runtime environment.
Starting, stopping, or managing threads in any way. That restriction eliminates the possibility of conflicts with the EJB container's responsibilities of managing locking, threading, and concurrency issues.
By restricting your use of features 10-16, you aim to plug potential security holes:
Reading or writing a file descriptor directly.
Obtaining security policy information for a particular code source.
Loading native libraries.
Accessing packages and classes that the usual rules of Java make unavailable.
Defining a class in a package.
Accessing or modifying security configuration objects (Policy, Security, Provider, Signer, and Identity).
Using the subclass and object substitution features of the Java Serialization protocol.
Passing the this reference as an argument or returning the this reference as a result. Instead, you must use the result of the getEJBObject() available in SessionContext or EntityContext.
Also in SUN EJB Specs 1.1 you can read the following:
In advanced cases, a session object�s conversational state may contain open resources, such as open sockets and open database cursors. A container cannot retain such open resources when a session bean instance is passivated. A developer of such a session bean must close and open the resources in the ejbPassivate and ejbActivate notifications. So I'll go with the SUN EJB Specs
It's probably not recommended because it adds more complexity to your code (you have to close and open your socket manually in case of passivation of the bean). But it is certainly doable.
Hope this helps,
-Chris
[This message has been edited by Christophe Testi (edited November 15, 2001).]