• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

EJB3 Doubts

 
Greenhorn
Posts: 21
Netbeans IDE Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I have below doubts:
1.What I did not understand is, Stateful Session Bean helps to maintain the client state of an application. Does it mean that session is maintained for the user? If so, how do we retrieve the session id from the Stateful Session Bean in a JSP page? Whats is the difference between Sessions used in Web through HttpSession and Stateful Session Bean. which one are more useful and why?
If session is not maintained then can anyone explain be the concept of session bean or an article with well explained example for Shopping cart with User authentication.

2.Can the user authentication and the session can be maintained using JDBC Realm. If so please explain me that also with a nice example or an article explaining the concepts with an example.

3.What is the difference between EJB security and Web Security? Please provide me the article with a good examples.
 
Marshal
Posts: 7266
1397
IntelliJ IDE jQuery Eclipse IDE Postgres Database Tomcat Server Chrome Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. Yes, stateful session beans are maintained for the user session. Why do you need to get the session ID? And why from a JSP? If you need to get the SFSB instance, you can either go for dependency injection or have a JNDI lookup for that. A JSP should only be used as a viewer component - you should not have EJB-accessing logic in it.

2. By JDBC Realm, were you perhaps meant about the declarative security? Read the Oracle Tutorial for that.

3. Web security, in it's general terms, is about securing everything over the web. This includes the user authentication process, elimination of security threats, and the security of all other web components. EJB security, on the other hand, is just about the security laid down on the EJB tier. Since the application servers are not only to be integrated with web tiers, security enforced in the EJB tier itself is important. The first two items you get, if you google for something like "EJB Security", have some examples for that.
 
Gaurav Dighe
Greenhorn
Posts: 21
Netbeans IDE Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Devaka,

Thanks for the reply.
About the first one, you mentioned only to do JNDI Lookup right?
e.g. If My stateful session bean "AuthenticateBean" contains below method and has remotel interface"AuthenticateBeanRemote" in the package ejb
public boolean authenticate(String user, String password)
{
if(someLogic)
return true;
else
return false;
}

Login HTML Page contatins textbox name"txtUser" , Password Textbox named"txtPassword" and Submit Button. On clicking submit it will take us to authenticate.jsp

Now in JSP Page, I have imported javax.naming.*, javax.ejb.*, ejb.* below some code deomstration
<%! private AuthentiateBeanRemote abr;
public void jspInit()
{
try
{
Context ctx = new InitialContext();
abr = (AuthenticateBeanRemote)ctx.lookup("java:comp/env/ejb/Autheticate");
}
catch(Exceptione e)
{
e.printStackTrace();
}
}
%>

some html codes followed by
<%
String user = request.getParameter("txtUser");
String pwd = request.getParameter("txtPasswordr");

boolean flag;
flaf = abr.authenticate(user,pwd);
if(flag)
{
%>
"SUCCESS"
<% <--tell me how to get sessionID here(SessionID) because that will be used in further interaction such as buying product, payement etc....so that we can make sure that a logged in user is only accessing these things or else the container itself takes cares of these things...Means no need to supply session related things as container will take care......I hope you are getting what i am saying -->
}
else
{
%>
FAILURE
<%}%>


If there are more than 2 users logging at the same time. then does statefull session bean solve the prupose of securing the identity of the user logged in. or should go with different EJB approach. Please help.

Thanks for the solution to the second doubt

for the third....if i am developing application as above mentioned in the 1st doubt...then i need to give websecurity only and no need to give ejb security.


I know that i am asking some silly doubts..but yes i want to learns these things and have not joined any trainings.

 
Devaka Cooray
Marshal
Posts: 7266
1397
IntelliJ IDE jQuery Eclipse IDE Postgres Database Tomcat Server Chrome Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Please UseCodeTags when you post a code. It's unnecessarily hard to read the code otherwise. Can you please edit your above post to add code tags by clicking the button ?

Gaurav Dighe wrote:About the first one, you mentioned only to do JNDI Lookup right?


You can use dependency injection as well.


I can see that you have performed a JNDI lookup directly from the JSP. But...

Devaka Cooray wrote:A JSP should only be used as a viewer component - you should not have EJB-accessing logic in it.



Gaurav Dighe wrote:...tell me how to get sessionID here(SessionID) because that will be used in further interaction such as buying product, payement etc....so that we can make sure that a logged in user is only accessing these things or else the container itself takes cares of these things...Means no need to supply session related things as container will take care......I hope you are getting what i am saying


You can rely on the session attributes you placed on HttpSession to identify the client. Is their any particular requirement for you to not use HttpSession?

Gaurav Dighe wrote:If there are more than 2 users logging at the same time. then does statefull session bean solve the prupose of securing the identity of the user logged in. or should go with different EJB approach.


A Stateful session bean instance should be associated for a unique client. Another client should get the another instance. You can get a Stateful session bean instance, which is associated to the current client, and use that same reference within the scope of that client (user). If you lookup for another Stateful session bean for another client, you get a new instance associated for that client.

Gaurav Dighe wrote:....no need to give ejb security


Securing the backend components is always encouraged - the best practice is to secure everything at the first place, before they come into significant threats!

 
Gaurav Dighe
Greenhorn
Posts: 21
Netbeans IDE Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Devaka,
Below is the code
e.g. If My stateful session bean "AuthenticateBean" contains below method and has remotel interface"AuthenticateBeanRemote" in the package ejb

Login HTML Page contatins textbox name"txtUser" , Password Textbox named"txtPassword" and Submit Button. On clicking submit it will take us to authenticate.jsp
I know according to MVC2 i should be using JSP Page for presentation purpose only.

Now in JSP Page, I have imported javax.naming.*, javax.ejb.*, ejb.* below some code deomstration



How to add object to the state of stateful session bean. can you give me a small code.

Only web security is enough for such application or do i need to give EJB security also.
Second thing if i want to check for authenticaion using JDBC Realm how to check it. EG if a new user (who has not logged in, clicks on Products Page, then he will be cheked whether he is logged in and then whether he is authorised to use that resource. Now in my case if user has not logged in, by clicking on Products page, Login page should be displayed with Register link. if he provides his authentication , then he should be directly allowed to view the product page.) How to establish this thing with JDBC Realm.
 
Why is the word "abbreviation" so long? And this ad is so short?
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic