When a bean executes a method that has no transaction context, i.e. Never. Can the bean access the security context of the client (session and entity beans)?
If a bean is BMT then my understanding is that it can access any resources in any method it wants (appart from constructor and set context method- session and message driven only) only when it starts a transaction, if it has not started a transaction, or it just ended one, it cannot access security context, resources or other beans.
Therefore I was just wondering if these methods can only be accessed within a transaction.
Also with BMT beans, the spec says non transaction context methods can access resource managers and other beans, but is that only within a bean stated transaction, or outside also.
The spec is not that clear, it just says a bean can access these resources in a method without a transaction context. But I assume that is only for BMT beans and only after they start their own transaction.
My understanding is that instance-level security info is not related to the transaction type, but rather if the method has been invoked by a client, i.e getCallerPrincipal() and isUserInRole() return you security info about the client.
Therefore the following methods can get security info about a client:
MessageDrivenBeans - no client, no security info. Stateless SessionBeans - business methods Stateful SessionBeans - ejbCreate, ejbPassivate, ejbActivate, ejbRemove, Business Methods Synchronized SessionBeans - same as Stateful, with afterBegin, beforeCompletion, afterCompletion. Entity Beans - ejbCreate, ejbPostCreate, ejbLoad, ejbStore, ejbRemove home business methods, business methods.
As these methods get invoked as a result of a client call. Don't take this list as being exhaustive as I might have missed some methods out though.
For a stateful session bean, you can get security information about the client from within ejbActivate()/ejbPassivate() container callback methods i.e. getCallerPrincipal() and isCallerInRole(java.lang.String) can be accessed. A bean can NEVER be passivated if it is in a transaction context. Hence, you can conclude that security information can be obtained (from specific methods) even if transaction context does NOT exist.