Why do tutorial writers feel such a desperate need to write convoluted, obscure descriptions, when using a simple language would do much better work, and would leave their readers with much more knowledge, and with much less headaches and frustration???
Java EE security is easy to implement and configure, and can offer fine-grained access control to application functions and data. However, as is inherent to security applied at the application layer, security properties are not transferable to applications running in other environments and only protect data while it is residing in the application environment. In the context of a traditional application, this is not necessarily a problem, but when applied to a web services application, where data often travels across several intermediaries, you would need to use the Java EE security mechanisms along with transport-layer security and message-layer security for a complete security solution.
After reading it over and over for 5 times, I actually figured out that they are trying to say something like:
EJB security can only protect the objects and data that reside in the EJB container. When objects and data are sent to other environments, such as web services, they cannot be protected by the EJB container while they are traveling outside of the EJB container.
From "Mastering EJB" 3rd edition:
TRANSACTIONS AND J2EE CONNECTORS
The J2EE Connector Architecture defines a standard contract between Resource Adapters (RA) and application servers such that RA can leverage the container services for supporting transactions. This standard contract enables an application server to provide the infrastructure and runtime environment for transaction management of RA components. RA can support either a local transaction, which is managed internally by the resource manager, or it can support a distributed transaction, whose coordination does involve external transaction managers. If RA that supports local transactions, the client component, such as an EJB, will have to acquire the common client interface API object, such as javax.resource.cci.LocalTransaction or an equivalent from the resource adapter to demarcate the transactions. If RA supports distributed transactions, the container will automatically enlist the client in the transaction context, if the client wants to work within a distributed transaction. J2EE Connector Architecture 1.5 supports the inflow of transactions from Enterprise Information System (EIS) to the J2EE environment. This is a powerful addition because it enables the J2EE applications to participate in transactions initiated by backend EIS. For example, you can make your stateless session bean participate in a transaction that was initiated in the Tuxedo environment, given that the underlying RA supports this contract. Chapter 17 explains J2EE Connector Architecture in more details.
We are in chapter 12. Why do you use terms that you are not going to explain till chapter 17??? This book includes some of the most obscure texts I have read in a long time. Why do they think that by calling Resource adapters "RA" I am supposed to understand what they are talking about??? [ April 14, 2007: Message edited by: Joseph Sweet ]