I am confused on how stateful and stateless bean behave under security context.
On Cades and Sheil's sample, Fig 9-3.
There is a @stateless BidManager class that has findBid, and createBid method.
If user needs to be authenticated before they can use these method, do we need to change this to stateful session bean? I think it is not necessary but I want to know the best practice. If user's information is also needed while creating bid, would it be better to change the bean to stateful session bean.
Normally, controller does the authentication, and the security context is propagated to the ejb classes right? And if declarative authorization is used, @DeclareRoles annotation can be used .