If i declare an env. variable for a property file(or for that matter any file) name and path and let the deployer fill in the values, why would i not be able to use the file io.? Is it technically not possible(if so what is the reason?)? Or is it that the approach would reduce the portability?
Primarily this is against the specifications... reason being
Enterprise beans aren't allowed to access files primarily because files are not transactional resources. Allowing EJBs to access files or directories in the filesystem, or to use file descriptors, would compromise component distributability, and would be a security hazard.
Another reason is deployability. The EJB container can choose to place an enterprise bean in any JVM, on any machine in a cluster. Yet the contents of a filesystem are not part of a deployment, and are therefore outside of the EJB container's control. File systems, directories, files, and especially file descriptors tend to be machine-local resources. If an enterprise bean running in a JVM on a particular machine is using or holding an open file descriptor to a file in the filesystem, that enterprise bean cannot easily be moved from one JVM or machine to another, without losing its reference to the file.
Furthermore, giving EJBs access to the filesystem is a security hazard, since the enterprise bean could potentially read and broadcast the contents of sensitive files, or even upload and overwrite the JVM runtime binary for malicious purposes.
Files are not an appropriate mechanism for storing business data for use by components, because they tend to be unstructured, are not under the control of the server environment, and typically don't provide distributed transactional access or fine-grained locking. Business data is better managed using a persistence interface such as JDBC, whose implementations usually provide these benefits. Read-only data can, however, be stored in files in a deployment JAR, and accessed with the getResource() or getResourceAsStream() methods of java.lang.Class.
Agreed with mentioned reasons and that we should not attempt to use IO for accessing files from enterprise beans. However, in my existing application, if I am not using clustered environment and client wants me to have configurable stuff from some properties file only, which may also be modified through code & I have to use file-system. In such cases, is there anything in EJB environment that stops me from doing that?
One argument for security thing is that, provided that access to file system(through code) is under control of bean provider & deployment environment is protected, is there still any security hole in the system?