ejb-spec
  1. ejb-spec
  2. EJB_SPEC-48

Programmatic login from within EJB components

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 3.2
    • Fix Version/s: Future version
    • Labels:
      None

      Description

      JSR 315 standardized how Servlets should initiate a programmatic login. This now happens via a call to HttpServletRequest#login, where previously a vendor specific mechanism was required.

      For EJB components such a programmatic login has not been standardized, which means vendor specific solutions are still required (e.g. the ProgrammaticLogin from GlassFish 3.1). This hurts portability and may make it quite hard for bean providers to accomplish this task (the GlassFish class is easy to find, but for other EJB implementations this can be rather difficult).

      I therefor propose to standardize programmatic login from within EJB components.

      Such a login should support at least the following use cases:

      • Login from within a local invocation of an EJB (where the call chain e.g. originates in a web component)
      • Login from within a remote invocation of an EJB
      • Login from within an asynchronous invocation of an EJB
      • Login from within a timeout method (both automatic and programmatic)
      • Login from a MDB during message delivery

      Some thought should be given to the scope of the established security context. Some ideas:

      • During the invocation of the above mentioned methods/message delivery only.
      • For stateful session beans, for the full life-time of the bean until it is destroyed
      • For all beans, for the full life-time of the bean, but only when login executed in the @PostConstruct method
      • For all beans, for the full life-time of the bean, without restrictions in which method the login is executed

      Possibly the API could make a distinction between a method invocation scoped login (first item) and a bean life-cycle scoped login (last three items).

      E.g.

      @Stateless
      public class SomeBean {
      
          @Resource
          private SessionContext sessionContext;
      
          public void businessMethod() {
              sessionContext.invocationLogin("username", "password");
              assert sessionContext.getCallerPrincipal().getName().equals("username");
          }
      }
      
      @Stateless
      public class SomeOtherBean {
      
          @Resource
          private SessionContext sessionContext;
      
          @PostConstruct
          private void doLogin() {
              sessionContext.beanLogin("username", "password");
          }
      
          public void businessMethod() {        
              assert sessionContext.getCallerPrincipal().getName().equals("username");
          }
      }
      

        Activity

        Hide
        marina vatkina added a comment -

        The only alignment with the Servlet spec in the new security features will be support for the predefined "**" role. The rest I'm deferring till next release.

        Show
        marina vatkina added a comment - The only alignment with the Servlet spec in the new security features will be support for the predefined "**" role. The rest I'm deferring till next release.

          People

          • Assignee:
            marina vatkina
            Reporter:
            arjan tijms
          • Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated: