2

I am creating an application where a java swing client is connected to EJB via a remote interface. Now, once the client has logged in, is it possible for the stateless ejb to obtain client specific data directly from the stateful session bean without involving the client?

Could not find any information on the above issue.

nkvp
  • 342
  • 1
  • 8
  • 15
  • Will injection of Stateful bean to Stateless bean would help? – d1e Jun 21 '12 at 13:10
  • yes, i think so, but how do I do it? I found http://stackoverflow.com/questions/10373220/create-a-stateful-session-bean-from-a-stateless-bean but i can't understand. – nkvp Jun 21 '12 at 13:15
  • Try looking here http://stackoverflow.com/questions/9114132/stateful-bean-injecting-stateless-bean-will-they-both-use-the-same-instance-of as at the example. – d1e Jun 21 '12 at 13:17
  • but then how do i return the reference to the stateful EJB to the client? – nkvp Jun 21 '12 at 13:22
  • and then how can i access it from other stateless EJBs? – nkvp Jun 21 '12 at 13:23
  • Why do you need a remote state full session bean? What kind of data do you want store there? Do you have a Swing client? – Puce Jun 21 '12 at 13:29
  • @Puce yes, it is a swing client, and i need to store the authentication status in the stateful bean – nkvp Jun 21 '12 at 13:36
  • Injecting a stateful session bean into a stateless session bean (or MDB or servlet) is an anti-pattern, unless you use a CDI request-scoped bean. – Brett Kail Jun 22 '12 at 13:07
  • @bkail ok.. what do i do then? – nkvp Jun 25 '12 at 05:07
  • @nkvp I was responding to JMelnik's comment. Instead of injection a stateful session bean in a stateless bean, you could use CDI and mark the stateful session bean as a non-dependent scope, or you would use JNDI/EJBContext to lookup/create a new instance as needed. – Brett Kail Jun 25 '12 at 13:47

2 Answers2

1

AFAIK, if you're using JAAS (recommended) then you don't have to use statefull session beans to store authentication status.

With remote clients, a stateless approach is often preferred, where all data a collected at client side and sent to the server.

Some usefull JAAS links:

http://docs.oracle.com/javaee/6/tutorial/doc/gijrp.html

Possible to access remote EJBs from a custom LoginModule?

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html

Book:

http://www.amazon.com/GlassFish-Security-Masoud-Kalali/dp/1847199380/ref=sr_1_1?s=books&ie=UTF8&qid=1340361926&sr=1-1&keywords=GlassFish+Security

Community
  • 1
  • 1
Puce
  • 37,247
  • 13
  • 80
  • 152
  • The problem is that I don't have sufficient time to learn JAAS. I tried it.. its taking too much time to implement the libraries. – nkvp Jun 21 '12 at 14:54
  • The problem with security is that the over-all security is only as strong as its weakest link. And the risk with custom security frameworks to have weak links is much higher than if you use one which has been designed by security experts and has been solidly tested. So it's well worth to learn JAAS, IMHO. For EJBs its quite simple: just some annotations. Then you "only" need to configure how you store the credentials (file, db, ldap,...) and figure out how you can login from a swing client. – Puce Jun 21 '12 at 15:38
  • ok.. but is there any way out other than JAAS to let the authentication happen on the server side and verify permissions on the server side? – nkvp Jun 22 '12 at 06:56
  • Well, there is Spring Security, but I don't know how well it works with EJBs. JAAS is the standard security framework for Java EE. – Puce Jun 22 '12 at 10:39
  • well, now what i have decided to do is that, since there is insufficient time, i'll temporarily create an authorization key at login and store it in the database. any user who has to perform any function will have to give the authorization key. i'll implement JAAS after learning it. – nkvp Jun 22 '12 at 12:27
1

A stateless session bean is by definition, well, stateless. You should not write business logic in a SLSB that depends on the state of a session, it's a sign of a misunderstanding of how such components work, and probably denotes a design problem.

If you really, absolutely need to access session information to perform business logic, then do so from a SFSB, not an SLSB. Alternatively, you could pass session state as a parameter to the methods in the SLSB, but such state must come from a stateful component invoking the SLSB.

Óscar López
  • 232,561
  • 37
  • 312
  • 386
  • I thought business logic is to be implemented in stateless and stateful session beans and client-specific details are to be implemented in stateful session beans. What I just wanted is to let the authentication happen on the server side. If the client just accessed the stateful session bean and restricted methods, this would be a problem. What I wanted is like whenever a stateless session bean login function is called, the stateful bean should be returned and all the stateless beans should be able to check the authentication status in the stateful bean. – nkvp Jun 21 '12 at 14:47
  • actually i meant the stateful bean reference would be returned and stored in the client – nkvp Jun 21 '12 at 14:57
  • Could you please help me with my other question, http://stackoverflow.com/questions/11184046/load-div-using-struts-2-jquery – nkvp Jun 25 '12 at 06:05