Hi Ivan, thank you. Yes, I thought the same. I havent had a look at Spring Security, I thought this is too much for what I need.
The main problem really might be that due to the fact that OpenEJB does not return the UserPrincipal on getCallerPrincipal(), it is not possible to determine the callers identity... so you might be right about the need of another container or even a whole application server like glassfish or jboss. Or would Geronimo handle this correctly, is it a bug in OpenEJB after all? Thanks, Mathis On Sat, Apr 4, 2009 at 12:02 PM, <[email protected]> wrote: > Hi! > First of all, I would definitely go with your second alternative with > multiple session beans, each one responsible for a specific service. > > Have you had a look at Spring Security? > http://static.springframework.org/spring-security/site/index.html > > If you want to create your own security solution, the EJB 3 specifications > does not, to the best of my knowledge, contain anything on programmatic > login - that is, how to programmatically set a user principal (something I > suspect you will have to do). To find information on such things you have to > go outside of the EJB container, for instance to Glassfish. > For an example, see the section on Programmatic Login in chapter 5 of the > Sun Application Server 9.1 Developer's Guide. > Best wishes! > Ivan A Krizsan > >
