stateless webservers and security

The Java Blueprints advises keeping session state in the EJB tier, when EJBs are used. This allows easier and faster clustering and fail-over of multiple webservers.

If one follows that pattern, how is login security handled? Likewise, doesn't the use of SSL assume durable connections between web tier and server?

How does one use SSL and declarative security when clustering multiple stateless webservers to a single EJB tier?

(This is relevant to the SCJEA assignment, in which we are told that there are two webservers.)

Originally posted by Frank Silbermann:
The Java Blueprints advises keeping session state in the EJB tier, when EJBs are used. This allows easier and faster clustering and fail-over of multiple webservers.

If one follows that pattern, how is login security handled? Likewise, doesn't the use of SSL assume durable connections between web tier and server?

How does one use SSL and declarative security when clustering multiple stateless webservers to a single EJB tier?

(This is relevant to the SCJEA assignment, in which we are told that there are two webservers.)

Frank,
Lets take one concept at a time and see where it fits in the overall architecture.

SSL - This is mainly used between the browser and the web server, so that each can authenticate the other and trust relationship is created for the duration of the session. I dont think we need SSL between the web server and the application server (Correct me if I am wrong). SSL will make sure that the data is properly encrypted during transit, no one alters it nor does anyone assume false identity etc. This is part of our non-functional requirements. It has nothing to do with login, user profile etc.

Login Authentication - This is mainly a business requirement. We need to authenticate the user to make sure that he/she is a part of the system and has an existing profile. The user can be authenticated declaratively via the web container and in case of the web app, the User Principal is propogated to the application server. This is handled transparent to the system and is between the web server and appserver.
Now that we have couple of web servers, we can design a cluster and also make sure that server affinity is maintained. Server affinity will make sure that the server which first serves or responds to a particular client request is used for the entire session. That way, the session will be maintained by that particular web server and propogated to the app server, whenever needed.


Now that we have defined these concepts..does it answer your question? If not, could you please re-phrase it, so I could understand it better

Thanks,
Parag