It would be nice to have a SecurityService that allowed you to use the Servlet api to enforce role based security and authorization when using openejb in *embedded* mode inside a servlet container.
The HttpServletRequest api gives you isUserInRole() getRemoteUser() The ejb SessionContext provides getCallerPrincipal() isCallerInRole() It would be nice if the ejb session context could use the related HttpServletRequest api methods in its implementation in cases where openejb is embedded in a servlet container. From not thinking about this too much, you might need to use a ServletFilter in conjunction with a ServletSecurityService. I did look at this a while ago but don't have much time to dedicate to it and it works using TomEE so wasn't a show stopper, just a nice to have. -- View this message in context: http://openejb.979440.n4.nabble.com/ejb-from-ws-tp4470387p4476833.html Sent from the OpenEJB User mailing list archive at Nabble.com.
