tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dojolava <>
Subject EJB Design / Architecture
Date Fri, 03 Apr 2009 09:41:21 GMT

Hi all,

I have searched for some advice since a week, but I just cannot find any
hint on how to design a basic architecture of a ejb application.

If there are Users and Services and a User has some rights for a Service,
how do keep track of my custom User object inside the ejbcontainer? Do I
have to send the userId with each request?

I thought of two solutions: 

1) I use one Stateless SessionBean that has a login method that returns a
Stateful SessionBean and all subsequent communication is handled by this
Bean. Thus I can safe the User object in the Stateful SessionBean and pass
it to all other services that are used. What I do not like here, is that
this SessionBean has to have ALL possible methods that have to be exposed to
the client. Or can I return other SessionBeans that can be used remotelty
but not direct. Eg:

StatefulBeanRemote myConn =
StatefulSearchBeanRemote search = myConn.getSearchService();"*");

but ctx.lookup("StatefulSearchBeanRemote") should not be possible in this

2) What I initially preferred where multiple SessionBeans, each standing for
one Service. E.g. one for Search, one for Accountmanagement and so on. And
each of them is exposed by @Remote Interface to the client. But here I have
the problem that I do not know who is calling the methods? I only have the
CallerPrincipal in the SessionContext and in the case of openejb that is not
even the username but it might be a group name:

in AbstractSecurityService:
public Principal getCallerPrincipal() {
        ThreadContext threadContext = ThreadContext.getThreadContext();
        SecurityContext securityContext =
        Set<Principal> principals = securityContext.subject.getPrincipals();
        if (!principals.isEmpty()) {
            return principals.iterator().next();
        return null;

So I cannot know if the user making the request is the user whos userid is
sent. I would have to make a custom login on each SessionBean....

How is the "normal" design for this? Does anybody has an example application
that shows this? I just cannot find anything on the net, alltough I think
this scenario must exist a thousand times....

Any help would be appretiated,

View this message in context:
Sent from the OpenEJB User mailing list archive at

View raw message