Part 2: Security in Web & Swing App

I'm planning on using a filter to make sure only authenticated users are allowed to access "protected resources" for the web application (similar to the petshop approach). I'm thinking of using XML over HTTP for the swing app to server communication. Is my understanding correct that the Swing app will need to have the authentication logic in its Front Controller or Business Delegate. Is there any way to have this logic in one place that both web & swing apps can use?

Solomon

I was planning on having the swing application use JNDI to obtain the session beans (session facades). I haven't figured out how to invoke JNDI over ssl. Does anyone know this?

Thanks.

Ravi

I was even faced with the same trouble as your, and thought out some idea,
here are two solutions, but they just represent my point view.

1. Both web app and swing app base on web container, in other words, swing app access EJB through web container, so you can put a Filter in web tier.

2.To swing app, client directly access EJB, and you configure the security of EJB in ejb-jar.xml.

best reguards

I seem to like the first solution you've provided. I have a question on that though. For web apps, the filter will look at the URL to see if it is a 'protected resource' and then authenticate the user. Since all calls from the swing app will be to the same URL (that of the FC servlet), how will the filter know when to authenticate. Please clarify.

Solomon

Along, I guess after giving it some thought, I may have answered my own qn. I'm thinking the filter servlet will look at the URL and if it is that of the swing app's FC, it should look at the XML message and determine what the request type is and do the necessary authentication. Is this in line with your thought also.

thanks
Solomon

Hello all,

There is an invaluable discussion on this at:
web and swing authentication
I'm planning on using container managed for the web and client.

-Ravi