JSR 315 standardized how Servlets should initiate a programmatic login. This now happens via a call to HttpServletRequest#login, where previously a vendor specific mechanism was required.
For EJB components such a programmatic login has not been standardized, which means vendor specific solutions are still required (e.g. the ProgrammaticLogin from GlassFish 3.1). This hurts portability and may make it quite hard for bean providers to accomplish this task (the GlassFish class is easy to find, but for other EJB implementations this can be rather difficult).
I therefor propose to standardize programmatic login from within EJB components.
Such a login should support at least the following use cases:
- Login from within a local invocation of an EJB (where the call chain e.g. originates in a web component)
- Login from within a remote invocation of an EJB
- Login from within an asynchronous invocation of an EJB
- Login from within a timeout method (both automatic and programmatic)
- Login from a MDB during message delivery
Some thought should be given to the scope of the established security context. Some ideas:
- During the invocation of the above mentioned methods/message delivery only.
- For stateful session beans, for the full life-time of the bean until it is destroyed
- For all beans, for the full life-time of the bean, but only when login executed in the @PostConstruct method
- For all beans, for the full life-time of the bean, without restrictions in which method the login is executed
Possibly the API could make a distinction between a method invocation scoped login (first item) and a bean life-cycle scoped login (last three items).