You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Markus Nicks <ma...@gmail.com> on 2009/01/16 06:57:02 UTC

Best pratice using jSecurity in a ejb applicationen

Hallo,
most examples I found (sample apps, forum, ...) are about how to use/config
jSecurity in a "simple" web or standalone application. The concept of the
framework is clear but at the moment I have several questions how to
integrate jSecurity in our 3-tier appliation (overview see below).

---------------------------
Overview
---------------------------
In our szenario (ui layer (web container) <--> business layer (ejb
container) <--> DB) the authentifiaction entities (account, role,
permission) are stored in a DB an only accessible by the business layer. The
web ui calls the business logic over a stateless session bean. The SLSB is
only a facade for the spring enabled business logic.

ui layer (runtime: web container):
* web based ui
* usage of a prorietary web framework (SAP Java Web Dynpro). In this
framework the well known web standards (e.g. web.xml, filter, listerner) are
not visible for the developer

business layer (runtime: EJB 3 container):
* spring based business logic
* stateless
* business logic is accessible via stateless session bean (only a wrapper
for "spring" services)
-------------------------------

* Only the business layer could access the security entities in the DB. So
in my opinion the setup of jSecurity framework has to be done in the
ejb/spring container? Is this correct?
* Are the DefaultSecurityManager and his internal used default objects (e.g.
DefaultCacheManger) usable in an ejb container?
* How to register/bootstrap the SecurityManager in an ejb/spring container?
As I understand
<SecurityUtils.setSecurityManager(springCtx.getBean("securityManager"));>
are not recommended in a J2EE environment.
* Is an distrbuted cache used by default? If not, how to setup?
* Is it possible to externally config the session timeout via spring?
* Ckeck of permissions must also be possible in the ui layer. How to access
the remote security context in the bsiness layer?
* Are there any examples/ experience using jSecurity and e.g. Teracotta in a
clustered environment?

Any tipps or best pratices how a spring configuration for the ejb based
business layer could look like are welcome?

Regars,
Markus