I've been carrying on this discussion with Assaf Arkin and Rickard Oberg
(sorry, Rickard; can't figure out on my Sun keyboard here how to create
the proper character for the first letter of your last name--and am
feeling quite stupid about it, actually....) offline, and would now like
to expose it to the EJB-INTEREST list as a whole.
Has anyone out there written a servlet to log a user in to a system? (I
SURE hope the answer is yes. :-))
If so, has that same person then managed to pass that information on to
an EJB container? If so, how? Could you kindly pass sample code along
for your container's way of doing this?
Here, in more detail, is what I'm talking about. Note that although the
Servlet 2.2 API has security related calls (isCallerInRole(), etc.) I am
restricted to using 2.1 (as I suspect 902837029375 other people are as
well) which has no such calls:
Joe wants to log in, so he hits a URL that calls LoginServlet.
LoginServlet takes in username and password, looks up user by username
(in the database, say), finds the user on disk, validates password;
everything is OK. LoginServlet puts Joe, or some other token, into the
Session object to effectively identify that Joe is indeed logged in.
===> MAGIC PART STARTS HERE
LoginServlet now somehow magically calls God down from the heavens to
cause a miracle to happen whereby the EJB container that hasn't yet been
invoked is now made aware of the fact that Joe is the current
Principal. That is, any enterprise bean that, in the future, will call
EJBContext.getCallerPrincipal(), will get Joe's Principal as the return
value. Various angels and demigods retreat back to the ethereal heights
whence they came.
===> MAGIC PART ENDS HERE
Joe now navigates around the site as a "logged in" user and finally hits
OrderProcessingServlet.
OrderProcessingServlet does something to figure out that Joe is logged
in. Perhaps it looks in the Session object to get the joe object that's
been stashed there. Doesn't really matter. All that matters is this
servlet knows now that it is dealing with an authenticated user.
OrderProcessingServlet calls InitialContext.getInitialContext() (or
whatever that first JNDI call is).
Using the context, OrderProcessingServlet now wants to get the
OrderProcessor session bean. OrderProcessingServlet gets the session
bean's home.
OrderProcessingServlet uses the OrderProcessorHome to get the
OrderProcessor.
OrderProcessingServlet now invokes OrderProcessor.processOrder().
This method invocation of course flows across the wire into the EJB
container.
The EJB container begins checking security.
===> MAGIC CONTAINED STARTING HERE
The EJB container DUE TO MAGIC AND DIVINE INTERVENTION (see above)
miraculously already? knows that the invoker of processOrder() is Joe.
===> MAGIC CONTAINMENT ENDS HERE
The EJB container looks up its little container-specified list of users
to roles.
The EJB container discovers that in fact Joe is wanted in five states
for armed assault and hence is not a member of the Buyer role.
The EJB container rejects the call to processOrder().
OrderProcessingServlet receives an Exception saying something like "Joe
not in role Buyer".
OK, there are two spots in this ridiculously simple flow of events where
divine intervention is required. Could someone (preferably using
WebLogic) please detail the prayers and incantations that are required
of the various servlets in order to get the EJB container to be aware
that Joe has logged in?
Does anyone from Sun monitor this list? Is this absurdly childish
example REALLY this hard? Is it therefore the case that if this example
is indeed correct that one would be utterly foolish and insane to buy a
servlet engine that is not tightly coupled to an EJB container? Doesn't
that in itself violate the entire intent of the specification, viz.
buying best-of-breed individual components that don't need to be made by
the same vendor? Isn't this all incredibly stupid?
Cheers,
Laird
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
