We're currently migrating from an Entity only architecture to one where we'll wrap our
Entity beans with Session beans. In this case, where we've taken a more action-centric
approach, we are wrestling with the best way to handle authentication and
authorization. At the most basic level, we could simply require a userid and password
to be passed on each request. This approach, although simple, seems ineffecient at
best. So far, we've come up with a couple of alternatives. For one, we could make the
session beans stateful. This would solve the problem but goes against the notion of
scalability and places more responsibility on the client to release the service
objects when they're finished. On the other hand, we could implement some kind of
caching mechanism that would hold the user permission settings using perhaps an MRU
algorithm. Have any of you folks had any experience with this issue? Any ideas or
suggestions?
Thanks,
Rick
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
