0

I have a EJB 3 application as a service layer and a Tapestry 5 web application as its client. The EJBs should provide a session facade for use by the web app.

To do the operations defined in the EJB layer, the user needs to log in trough the web interface. I must have entity level security, so Java EE declarative security is of little use to me here.

How should I implement security in this kind of setup? I would rather have it implemented on the EJB layer, then in the web app, in case I switch clients.

I could use the http session in the web app to store the user session and then pass the User object in every stateless EJB call.

public void doStuff(params, User user);

Are stateful session beans the solution here?

Edit: By entity level security I mean row level security.

Nefron
  • 699
  • 6
  • 11

1 Answers1

1

What exactly do you mean by Entity Level Security?

If I understand you correctly you directly invoke your SLSB from your webapplication with a logged in user?

If so: Write an Inteceptor which gets the SessionContext injected as a Resource and annotate your SLSB with this Interceptor... in the Interceptor's @AroundInvoke get the Principal from the SessionContext and from there you can do whatever you want (e.g. query the db for the user and if something is wrong directly throw an exception from the Interceptor w/o making it to your SLSB).

Korgen
  • 5,191
  • 1
  • 29
  • 43