Let us say a specific functionality is to be provided both on the web as ejb application and as well as swing application, then how do we go about doing handling security /authentication? any thoughts on the issues to be considered? any useful links???
We are currently building an application that uses EJB3 as the backend and
JSF and Swing as the front ends.
Security checks are done in both front end and back end. The back end simply assumes that the front end is dumb and never trusts the front end. Before you execute any function on the back end, it checks the user's credential and permission levels.
In addition to the security checks done in the back end., some security checks are done in the front end as well (just to maintain sanity).
For example if an user manages to navigate to a page that he is not allowed to visit (ex: via bookmark), then the front end checks the user's permission level and disallows him.
Now in the worst case that the permission levels on the front end are configured incorrently and the user is allowed to visit a page that he is not allowed to., if the user performs an action on the page, a call is made to the backend which checks the user's permission level and disallows the action.
So, in a nutshell your security / permission checks should be in the back end. Whatever security / permission checks you put on the front end would just complement the security checks on the back end.