We are developing a EJB-based business application which publishes an
API for the Client application. These APIs are actually the methods of
the EJBRemote objects. The processing flow for any API call from the
Client application is as follows:
Client application -> Session Bean -> Business Object (which does
Validation) -> Business Object (which interacts with the Data access
layer) -> Data access layer.
Now, is it possible to restrict the Client application from directly
calling the Business Object (which interacts with the Data access
layer) without calling the Session Bean layer (thus breaking our
application). In other words, can we force the Client application to
call only our Session Beans?
Since we are hosting our application on an application server
(Weblogic, Websphere etc), the Client may use this application server
for hosting other applications as well; hence we have limited control
on the application server behaviour.
Any idea is welcome.