We have a client that calls a method on a stateless session bean to act on other beans through local interfaces in a single transaction We wrote a security SecurityProxy that does instance-based per-method authorization using our own fine grained permissions which are set for the user in the database. This user has done a JAAS login using Client and Database login modules, so in SecurityProxy invoke() we can get his Principal from the EJBContext and we can look up his permissions in the database based on the name of that Principal. But we don't want to do this database permissions lookup on every method invocation, so we cache the set of permissions for that user in ThreadLocal the first time our SecurityProxy does an invoke(). Is it legitimate to assume we will have the same thread through multiple calls to local bean method invocations throughout this transaction. It seems to work, but are we just lucky?
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
