aspose file tools*
The moose likes EJB and other Java EE Technologies and the fly likes EJB3 Doubts Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "EJB3 Doubts" Watch "EJB3 Doubts" New topic
Author

EJB3 Doubts

Gaurav Dighe
Greenhorn

Joined: Jun 25, 2009
Posts: 21

Hi,
I have below doubts:
1.What I did not understand is, Stateful Session Bean helps to maintain the client state of an application. Does it mean that session is maintained for the user? If so, how do we retrieve the session id from the Stateful Session Bean in a JSP page? Whats is the difference between Sessions used in Web through HttpSession and Stateful Session Bean. which one are more useful and why?
If session is not maintained then can anyone explain be the concept of session bean or an article with well explained example for Shopping cart with User authentication.

2.Can the user authentication and the session can be maintained using JDBC Realm. If so please explain me that also with a nice example or an article explaining the concepts with an example.

3.What is the difference between EJB security and Web Security? Please provide me the article with a good examples.


Thanks & Regards,
Gaurav Dighe
Devaka Cooray
ExamLab Creator
Saloon Keeper

Joined: Jul 29, 2008
Posts: 3230
    
  49

1. Yes, stateful session beans are maintained for the user session. Why do you need to get the session ID? And why from a JSP? If you need to get the SFSB instance, you can either go for dependency injection or have a JNDI lookup for that. A JSP should only be used as a viewer component - you should not have EJB-accessing logic in it.

2. By JDBC Realm, were you perhaps meant about the declarative security? Read the Oracle Tutorial for that.

3. Web security, in it's general terms, is about securing everything over the web. This includes the user authentication process, elimination of security threats, and the security of all other web components. EJB security, on the other hand, is just about the security laid down on the EJB tier. Since the application servers are not only to be integrated with web tiers, security enforced in the EJB tier itself is important. The first two items you get, if you google for something like "EJB Security", have some examples for that.


Author of ExamLab ExamLab - a free SCJP / OCPJP exam simulator
What would SCJP exam questions look like? -- Home -- Twitter -- How to Ask a Question
Gaurav Dighe
Greenhorn

Joined: Jun 25, 2009
Posts: 21

Hi Devaka,

Thanks for the reply.
About the first one, you mentioned only to do JNDI Lookup right?
e.g. If My stateful session bean "AuthenticateBean" contains below method and has remotel interface"AuthenticateBeanRemote" in the package ejb
public boolean authenticate(String user, String password)
{
if(someLogic)
return true;
else
return false;
}

Login HTML Page contatins textbox name"txtUser" , Password Textbox named"txtPassword" and Submit Button. On clicking submit it will take us to authenticate.jsp

Now in JSP Page, I have imported javax.naming.*, javax.ejb.*, ejb.* below some code deomstration
<%! private AuthentiateBeanRemote abr;
public void jspInit()
{
try
{
Context ctx = new InitialContext();
abr = (AuthenticateBeanRemote)ctx.lookup("java:comp/env/ejb/Autheticate");
}
catch(Exceptione e)
{
e.printStackTrace();
}
}
%>

some html codes followed by
<%
String user = request.getParameter("txtUser");
String pwd = request.getParameter("txtPasswordr");

boolean flag;
flaf = abr.authenticate(user,pwd);
if(flag)
{
%>
"SUCCESS"
<% <--tell me how to get sessionID here(SessionID) because that will be used in further interaction such as buying product, payement etc....so that we can make sure that a logged in user is only accessing these things or else the container itself takes cares of these things...Means no need to supply session related things as container will take care......I hope you are getting what i am saying -->
}
else
{
%>
FAILURE
<%}%>


If there are more than 2 users logging at the same time. then does statefull session bean solve the prupose of securing the identity of the user logged in. or should go with different EJB approach. Please help.

Thanks for the solution to the second doubt

for the third....if i am developing application as above mentioned in the 1st doubt...then i need to give websecurity only and no need to give ejb security.


I know that i am asking some silly doubts..but yes i want to learns these things and have not joined any trainings.

Devaka Cooray
ExamLab Creator
Saloon Keeper

Joined: Jul 29, 2008
Posts: 3230
    
  49

Please UseCodeTags when you post a code. It's unnecessarily hard to read the code otherwise. Can you please edit your above post to add code tags by clicking the button ?

Gaurav Dighe wrote:About the first one, you mentioned only to do JNDI Lookup right?

You can use dependency injection as well.


I can see that you have performed a JNDI lookup directly from the JSP. But...
Devaka Cooray wrote:A JSP should only be used as a viewer component - you should not have EJB-accessing logic in it.


Gaurav Dighe wrote:...tell me how to get sessionID here(SessionID) because that will be used in further interaction such as buying product, payement etc....so that we can make sure that a logged in user is only accessing these things or else the container itself takes cares of these things...Means no need to supply session related things as container will take care......I hope you are getting what i am saying

You can rely on the session attributes you placed on HttpSession to identify the client. Is their any particular requirement for you to not use HttpSession?

Gaurav Dighe wrote:If there are more than 2 users logging at the same time. then does statefull session bean solve the prupose of securing the identity of the user logged in. or should go with different EJB approach.

A Stateful session bean instance should be associated for a unique client. Another client should get the another instance. You can get a Stateful session bean instance, which is associated to the current client, and use that same reference within the scope of that client (user). If you lookup for another Stateful session bean for another client, you get a new instance associated for that client.

Gaurav Dighe wrote:....no need to give ejb security

Securing the backend components is always encouraged - the best practice is to secure everything at the first place, before they come into significant threats!

Gaurav Dighe
Greenhorn

Joined: Jun 25, 2009
Posts: 21

Hi Devaka,
Below is the code
e.g. If My stateful session bean "AuthenticateBean" contains below method and has remotel interface"AuthenticateBeanRemote" in the package ejb

Login HTML Page contatins textbox name"txtUser" , Password Textbox named"txtPassword" and Submit Button. On clicking submit it will take us to authenticate.jsp
I know according to MVC2 i should be using JSP Page for presentation purpose only.

Now in JSP Page, I have imported javax.naming.*, javax.ejb.*, ejb.* below some code deomstration



How to add object to the state of stateful session bean. can you give me a small code.

Only web security is enough for such application or do i need to give EJB security also.
Second thing if i want to check for authenticaion using JDBC Realm how to check it. EG if a new user (who has not logged in, clicks on Products Page, then he will be cheked whether he is logged in and then whether he is authorised to use that resource. Now in my case if user has not logged in, by clicking on Products page, Login page should be displayed with Register link. if he provides his authentication , then he should be directly allowed to view the product page.) How to establish this thing with JDBC Realm.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: EJB3 Doubts