a) I want several applications/services (java+non-java) to access the same user base. The service providing the user base also should provide authentication mechanisms. The ejb container should be able to access this structure. Ideally, a client calls the ejb, and is at the beginning associated with an "anonymous" user, until the client decides to authenticate. Is this possible ? What kind of architecture would you recommend ? What I definitely do NOT want is : use a web container for this, or servlet functionality. I do want to do authentication at EJB container level, or EJB level.
b) When the client decides to authenticate, how can I make the stateful session ejb be aware of the client�s new security identity ? I guess it must be stored in a context variable to do that. Also, the ejb - I guess - will have to make calls for this (programmatic). what do those calls look like ? How can I do that ?
c) Imagine I want to create a new user at runtime, and associate the client with the security context of that new user. How is all of this best done ?
My personal guess is: LDAP user base with authentication mechanism. EJB accesses that tree. EJB stores new sec identity in its own context variable, so it aquires the new sec identity (is this possible and allowed for an EJB ?). But all other questions still remain open for me.
Jay [ March 28, 2005: Message edited by: Jay Sam ]