This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes stateless session bean and declaritive security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "stateless session bean and declaritive security" Watch "stateless session bean and declaritive security" New topic
Author

stateless session bean and declaritive security

talu singh
Greenhorn

Joined: Jun 07, 2010
Posts: 18
I am confused on how stateful and stateless bean behave under security context.

On Cades and Sheil's sample, Fig 9-3.

There is a @stateless BidManager class that has findBid, and createBid method.

If user needs to be authenticated before they can use these method, do we need to change this to stateful session bean? I think it is not necessary but I want to know the best practice. If user's information is also needed while creating bid, would it be better to change the bean to stateful session bean.

Normally, controller does the authentication, and the security context is propagated to the ejb classes right? And if declarative authorization is used, @DeclareRoles annotation can be used .

Thanks
Ryan Fernandes
Ranch Hand

Joined: Dec 11, 2003
Posts: 86
I am confused on how stateful and stateless bean behave under security context.

They both behave the same.
If user needs to be authenticated before they can use these method, do we need to change this to stateful session bean

Nope.

If user's information is also needed while creating bid, would it be better to change the bean to stateful session bean.

Noope! Secure your bean (@RolesAllowed) and then use the getCallerPrincipal()/isCallerInRole() methods to get the userID/Roles and then retrieve whatever information you need about the user.

Normally, controller does the authentication, and the security context is propagated to the ejb classes right

Once you authenticate against the container (web/ejb) the security context is propogated to the ejb classes by the 'container'.

a word to the wise: reading more about the different types of EJBs (and their applicability when solving a business problem) will hold you in good stead.


Unthinking respect for authority is the greatest enemy of truth. -Albert Einstein, physicist, Nobel laureate (1879-1955)
talu singh
Greenhorn

Joined: Jun 07, 2010
Posts: 18
Thanks, for the great answer.
talu singh
Greenhorn

Joined: Jun 07, 2010
Posts: 18
If you are using JAAS DatabaseLoginModule for authentication, is it possible to let the container handle authorization?
or does JAAS has to handle both authentication and authorization?

Or does most JEE container handle declarative security using JAAS.

Thanks
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: stateless session bean and declaritive security