Thanks Deepak clarified lots of issues for me.
Some more queries I have.
1. Detection of the fact that user is logged in or not has to be part of the someone very close to Controller. It could be InterceptingFilter (like in Petstore) or it could be ApplicationController (like in Struts). A class called RequestProcessor is an example of ApplicationController implementation.
If I am not mistaken this part is handled by singOnNotifier. The way it is implemented in Web tier is it implements HttpSessionListener so just creation of session calls the implementation method where the actually logic to creats an event and sesnds it to the EJB Tier. How would this work for the application client. No signon notiifer there .. ?
2. If InterceptingFilter does this detection then it needs some kind of metadata for performing this check. In petstore a separate xml file is maintained and used by the InteceptingFilter to find out if a particular request requires user to be logged in
I was going through the SignOnFilter code there is a doFilter implementation . .Is that what u are referring to ?
3. If ApplicationController does this detection then the metadata can be part of the command definition that is anyways needed for ApplicationController to work. For example: Struts config file can be extended by using custom ActionMapping class to contain this information. This information can then be used in one of the overrideable methods of RequestProcessor class.
When u mention the above are u saying that the config.xml file holds all the protected resource similar to the petstore configs.xml what would be different if the same are held by web.xml infact the XML config is similar to web.xml configs except its not centralised in web.xml. ? What do u mean by the overrideable methods ... A template method type of implementation .. .?
4. Another strategy could be as simple as imposing a security constraint in the web.xml descriptor file.
Personally I think keeping config information in one central place makes life easier for developers, deployers etc.
R u referring to imposing container declarative security ?
I still have queries on : Why is there a need of a UserEvent and a CustomerEvent. isnt customer a user. I will try explaining what I have understood. Please correct me if that explaination is incorrect.
The customer has already been created and all the information is in the database.
Now a user who is a customer logs in ...SignInnotifier notifes the EJB tier using the SignOnEven -- >SignOnEJB to load the user as well as the Customer information and profile.
I will try explaining the UserEvent and CustomerEvent
If validation fails obviously it goes to Customer page for customer creation and the CustomeEvent invoked for creating a new customer.
UserEvent is only going to be invoked by the SignOnNotifer even though under the covers it loads the customer.
But the confusion comes becuase of these taken from web.xml
This shows user and customer actions as separate events. But since they are both called at one go,why have the two actions been broken. They could very well have been combined as one action like CustomerLoginAction.?
Thanks
Dhiren
[ December 30, 2004: Message edited by: Dhiren Joshi ]
[ December 31, 2004: Message edited by: Dhiren Joshi ]