I've just read a nice posting from Larry Cable re: Servlets -> EJB Session Persistence, which outlines how you'd persist a Stateful Session Bean handle when accessed via a servlet. We will have a similar architecture (browser <--> servlet <--> EJB/SB), however ideally we'd like to keep the session beans stateless, AND we do need to be able to identify the exact end user who is using the servlet/SB (where the EJB will need to perform more complex authorization checks on each request, depending on user). What would be an acceptable & secure way to accomplish this? I.e., how does the caller identity (java.security.Identity?) get persisted & propagated from the servlet, who is ultimately the one getting EJBs and calling them on behalf of a user? Or is the best way to create a StatefulSessionBean per authenticated user session, and ensure that a client always uses their SSB either as OneBigHighLevelFacade or as an argument to every request (i.e., a SessionIdentifier)? Thanks for any advice here, or pointers to articles/papers regarding this. - Eric Yu [ mailto:[EMAIL PROTECTED] ] Centerprise Services, Inc. P.S. The URL for above mentioned posting is: http://archives.java.sun.com/cgi-bin/wa?A2=ind9903&L=ejb-interest&D=0&P=3289 2 =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff EJB-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
