The spec says on page 81 and 91 that "accessing resource managers and enterprise beans is disallowed in the session bean methods for which the container does not have a meaningful tx context or client security context."
I notice in the spec on page 80 table 2 and in HeadFirst Java pages 196, 207 and 216 that stateful session beans can access other beans and resource managers in ejbCreate (and also ejbRemove, ejbPassivate and ejbActivate).
Since these methods are not deeemed to take place in a transaction, I am confused. WOuld someone please clarify this issue.
What is important to realise is that, for stateful session beans, methods like ejbCreate() and ejbRemove() operate in a client security context because they are only invoked upon the client invoking create() or remove(). Contrast this with stateless session beans where the calling of these methods is not tied to the client and therefore operate without a client security context.
Thanks for your reply, Roger. I now understand that a stateful bean has a client security context and the stateless bean does not. The spec. leads one to suppose that access to management resources and other beans requires both a security context AND a transaction. It is the transaction requirement that is causing the confusion, or are you saying that either the transaction OR the security context is enough to establish access?
No it does not follow, how can the negation of an OR condition require an AND condition?
By your reasoning, the ejbCreate() method of a stateful session bean could get resource manager and enterprise bean access only if the Container has both a meaningful transaction context and client security context. This is clearly not true as access is possible only because ejbCreate() has client security context - this method runs without a meaningful transaction context.