Which means if you go for declarative you have not to include components regarding this. But other components which are related to a user activity you may have
Ask your self how important is it to protect the ejb tier from the swing tier especially in this case ? This of course depends in which network zone the travel agents are located. Search the forum and you will find some answers.
By the way, some containers offer anown authentication or also authorization for J2EE client. i.e. as mentioned above Weblogic offer this by using JNDI. So if you like to go alos there for a declarative way you have to propagate the user principals in the J2EE client which is there programmatically. i.e. code which I personally use in a weblgic app
code:
--------------------------------------------------------------------------------
Hashtable hashtable = new Hashtable(); hashtable.put( Context.SECURITY_PRINCIPAL,"105000"); hashtable.put( Context.SECURITY_AUTHENTICATION, "simple" ); hashtable.put( Context.SECURITY_CREDENTIALS, "105000" ); hashtable.put("java.naming.provider.url","t3://127.0.0.1:7001" ); new InitialContext( hashtable );
This correct, if you like to go for the full declarative approach then you have not to use an intereception filter. Both containers will then do the authentication and authorization for you.
Uste the declarative possiblity of your web container and verify that it is compatible with the ejb container product so that an automatic principal propagation is possible
- If the web container and ebj container are not compatible, you have to write your own realm class in the web container which propagates the principals. That is what I tried to explain in the posts above
Credit Card Authorisation should happen in a secure way ... you can use XMLRPC over HTTPS !