I have a web application that uses ejbs. The application uses filters defined in the web.xml for security and such on all calls. So far so good. I have one ejb that I'm exposing as a webservice using the @Webservice annotation. The problem I have is that I need have all calls to this webservice go through the servlet filter but because the directly exposed ejb isn't part of the web module it obviously doesn't get caught by the filter. (The annotated webservice appears in a seperate context based on the ejb-module name by default).
I feel that I'm missing something here. I want to use the annotation ('cause it's handy) but I have a requirement to run all calls through this filter. Can I:
1. Somehow include (wrap) the annotated ejb service into the war file? (i.e. still making use of the @webservice annotation)
2. Find some way of applying the web filter to the directly exposed ejb?
I get the feeling that there's an obvious solution to this that's just eluding me.
Do you know that for EJB based endpoints, you can use EJB method-level security?
If not, here is a tutorial on how to do security in EJBs: http://www.netbeans.org/kb/docs/javaee/secure-ejb.html However, the calls to the web service will still not go through your servlet filter.
My experiences tells me that EJB endpoints are (always or just often?) wrapped in a servlet by the container when being deployed. Since I have never seen anything about this in the JAX-WS specifications, I assume that this is implementation-specific behaviour and thus should not be relied upon.
If you still want to chose this option, I guess it is possible to see to that your servlet filter is applied to that servlet too. Again, note that you risk the portability etc. of your application.
posted 11 years ago
Yeah, I've pretty much got to go with the web filter: that's just in-house architecture of the apps in here. I'll look into applying the filter to the container's servlet, but I'd say it would probably be easier just to use the (in this case Oracle) assembler tool to generate the interface and implement a pojo implementation that calls the bean through a service layer. It just feels like a step backwards not to be using annotations, you know?