EJBers,
I know this issue has been raised a number of times in this list, but reading back through the archives didn't give me a definite answer. So, here we go again.
A client who wishes to execute some methods of an EJBean is supposed to perform the following:
1. To locate the Home Interface through JNDI;
2. To invoke a finder method to locate the object, or to create a new one;
3. To invoke the methods she wishes to invoke on that object.
So far everything is obvious.
The container must enforce access authorization to the bean's methods. So at the minimum the container needs the ID of the client (which better be an authenticated one).
Now, method calls are just RMI calls and to my knowledge, there's nothing in RMI to transparently and automatically identify the client.
It is true that the container is responsible to provide the BEAN with the caller's (read client) principal, but this is NOT the question - the question is how does the client identify herself to the server/container on each and every method invocation? (Otherwise she maight pass the object reference to someone who's prevented from access)
The spec is very unclear on this issue, so could somebody clarify the mystique?
Is there a STANDARD way of doing this (i.e. server/container transparent) or not? If yes - what is this way, and if not - what are the techniques that vendor employ in their solutions?
--
David Gasul phone: +972-3-5388634
Telegate Ltd. office: +972-3-5384600
7 Haplada St., 60218 Or-Yehuda fax: +972-3-5335877
Israel http://www.telegate.co.il
