Engstr�m Anders wrote:
>
> Hi.
>
> This is my problem:
>
> We are building a multi-tier J2EE application using Oracles iAs9 application
> server. The clients will be both servlets, jsp-pages and applets. The
> web-tier communicates with session EJB's on the application server using
> "light JavaBean mirrors of the EJBs" on the web-tier.
>
> Each user is assigned a role when logging in to the system. This role
> (admin, registrator, guest etc.) is used in the EJB-container to restrict
> access to certain methods. The JavaBeans in the web-tier uses the role to
> look-up the EJB's in the appserver, thereby propagating the role to the
> EJB-container.
>
> The problem is that we need to propagate the unique user identity to the
> EJB-container as well (for logging and row-based access to the database).
> How do we do this in a good manner? I suppose we could send the user-identity
> with every method invocation, but that seems stupid :/ Is there a way to put
> this information into some kind of context that each EJB within the session
> can use? Or, can this be accomplished by setting some kind of context when
> looking up the home interface of the first EJB?
Engstr�m,
Yours is an example of a frequently occurring problem.
Usually, for web-based applications where users can self-register and thereby
gain access to their own account data, sending the user name in as the
UserPrinciple doesn't work because the server will not recognise it, while
sending a role as the UserPrinciple requires another means of passing the actual
user name.
I tell my clients that processing using the names of customers/prospects is
"Customer Relationship Management", and server security facilities have not been
designed to do CRM. Hence sending the user identity as an explicit parameter on
requests is alright.
I realise that this is exactly what you thought of doing yourself, but perhaps
I've made you feel a little better about doing it?
Ian McCallion
Alexis Systems Limited
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
