You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by dojolava <do...@gmail.com> on 2009/04/03 11:41:21 UTC
EJB Design / Architecture
Hi all,
I have searched for some advice since a week, but I just cannot find any
hint on how to design a basic architecture of a ejb application.
If there are Users and Services and a User has some rights for a Service,
how do keep track of my custom User object inside the ejbcontainer? Do I
have to send the userId with each request?
I thought of two solutions:
1) I use one Stateless SessionBean that has a login method that returns a
Stateful SessionBean and all subsequent communication is handled by this
Bean. Thus I can safe the User object in the Stateful SessionBean and pass
it to all other services that are used. What I do not like here, is that
this SessionBean has to have ALL possible methods that have to be exposed to
the client. Or can I return other SessionBeans that can be used remotelty
but not direct. Eg:
StatefulBeanRemote myConn =
((StatelessBeanRemote)ctx.lookup("StatelessBeanRemote")).login();
StatefulSearchBeanRemote search = myConn.getSearchService();
search.search("*");
but ctx.lookup("StatefulSearchBeanRemote") should not be possible in this
case.
2) What I initially preferred where multiple SessionBeans, each standing for
one Service. E.g. one for Search, one for Accountmanagement and so on. And
each of them is exposed by @Remote Interface to the client. But here I have
the problem that I do not know who is calling the methods? I only have the
CallerPrincipal in the SessionContext and in the case of openejb that is not
even the username but it might be a group name:
in AbstractSecurityService:
public Principal getCallerPrincipal() {
ThreadContext threadContext = ThreadContext.getThreadContext();
SecurityContext securityContext =
threadContext.get(SecurityContext.class);
Set<Principal> principals = securityContext.subject.getPrincipals();
if (!principals.isEmpty()) {
return principals.iterator().next();
}
return null;
}
So I cannot know if the user making the request is the user whos userid is
sent. I would have to make a custom login on each SessionBean....
How is the "normal" design for this? Does anybody has an example application
that shows this? I just cannot find anything on the net, alltough I think
this scenario must exist a thousand times....
Any help would be appretiated,
Mathis
--
View this message in context: http://www.nabble.com/EJB-Design---Architecture-tp22865110p22865110.html
Sent from the OpenEJB User mailing list archive at Nabble.com.