Renat,
You would
protect the bean and authenticate from the web-tier(use web authentication) or the J2SE client side(use
JAAS). (You would use container managed security)
You would not want to use any of the following approaches because:
1. Entity bean represents user and have a business methods is obtained via finder method with login and password and stored using Handle.
Entity bean's finder methods should not have login credentials. You will have a problem if a stateless session facade would want to use this entity bean.(You may have to send the credentials everytime)
2. Statefull session bean do this (session facade), therefore it manage a session for user.
Which one do you prefer and why?
It is generally good to minimize the usage of Stateful session beans for scalability constraints. And, if the thick client dies prematurely, there is no clean way of sending the Stateful Session bean back to pool.
Any other thoughts guys?
Dushy
[ June 02, 2004: Message edited by: Dushy Inguva ]
SJCP, SCBCD, SJCD, SCDJWS, SCEA (Part I)