• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

stateless session bean and declaritive security

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am confused on how stateful and stateless bean behave under security context.

On Cades and Sheil's sample, Fig 9-3.

There is a @stateless BidManager class that has findBid, and createBid method.

If user needs to be authenticated before they can use these method, do we need to change this to stateful session bean? I think it is not necessary but I want to know the best practice. If user's information is also needed while creating bid, would it be better to change the bean to stateful session bean.

Normally, controller does the authentication, and the security context is propagated to the ejb classes right? And if declarative authorization is used, @DeclareRoles annotation can be used .

Thanks
 
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I am confused on how stateful and stateless bean behave under security context.


They both behave the same.

If user needs to be authenticated before they can use these method, do we need to change this to stateful session bean


Nope.

If user's information is also needed while creating bid, would it be better to change the bean to stateful session bean.


Noope! Secure your bean (@RolesAllowed) and then use the getCallerPrincipal()/isCallerInRole() methods to get the userID/Roles and then retrieve whatever information you need about the user.

Normally, controller does the authentication, and the security context is propagated to the ejb classes right


Once you authenticate against the container (web/ejb) the security context is propogated to the ejb classes by the 'container'.

a word to the wise: reading more about the different types of EJBs (and their applicability when solving a business problem) will hold you in good stead.
 
talu singh
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, for the great answer.
 
talu singh
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are using JAAS DatabaseLoginModule for authentication, is it possible to let the container handle authorization?
or does JAAS has to handle both authentication and authorization?

Or does most JEE container handle declarative security using JAAS.

Thanks
 
Beauty is in the eye of the tiny ad.
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic