Originally posted by Gavin Andrews:
The Web and TravelAgent (Swing) application have IDENTICAL functionality in that they share all the same use cases.
It would seem that the simplest implementation shares the biz logic in a tier accessed by either a web tier or via a proxied swing app... i.e. expose the biz tier as say SOAP??? use SOAP from the web app AND the swing app???
EJB tier business services can be accessed via standard InitialContext and jndi-lookup methods from both Web and Swing clients
For application client (Swing) we could use security roles with components in EJB tier. But how the authentication/authorization will be implemented in practise when the client doesn't know anything about protected resources? Can client just catch security exceptions and conclude when login is needed, username/password was wrong or credentials wasn't enough? Do we need a component in EJB tier, which could tell the client what functionality is available (result of getCallerPrincible method)?
Originally posted by D. Rose:
For authentication, can I use third party tool (like LDAP) than container security?