Best pratice using jSecurity in a ejb applicationen

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Best pratice using jSecurity in a ejb applicationen

Markus Nicks
Hallo,
most examples I found (sample apps, forum, ...) are about how to use/config jSecurity in a "simple" web or standalone application. The concept of the framework is clear but at the moment I have several questions how to integrate jSecurity in our 3-tier appliation (overview see below).

---------------------------
Overview
---------------------------
In our szenario (ui layer (web container) <--> business layer (ejb container) <--> DB) the authentifiaction entities (account, role, permission) are stored in a DB an only accessible by the business layer. The web ui calls the business logic over a stateless session bean. The SLSB is only a facade for the spring enabled business logic.

ui layer (runtime: web container):
* web based ui
* usage of a prorietary web framework (SAP Java Web Dynpro). In this framework the well known web standards (e.g. web.xml, filter, listerner) are not visible for the developer

business layer (runtime: EJB 3 container):
* spring based business logic
* stateless
* business logic is accessible via stateless session bean (only a wrapper for "spring" services)
-------------------------------

* Only the business layer could access the security entities in the DB. So in my opinion the setup of jSecurity framework has to be done in the ejb/spring container? Is this correct?
* Are the DefaultSecurityManager and his internal used default objects (e.g. DefaultCacheManger) usable in an ejb container?
* How to register/bootstrap the SecurityManager in an ejb/spring container? As I understand <SecurityUtils.setSecurityManager(springCtx.getBean("securityManager"));> are not recommended in a J2EE environment.
* Is an distrbuted cache used by default? If not, how to setup?
* Is it possible to externally config the session timeout via spring?
* Ckeck of permissions must also be possible in the ui layer. How to access the remote security context in the bsiness layer?
* Are there any examples/ experience using jSecurity and e.g. Teracotta in a clustered environment?

Any tipps or best pratices how a spring configuration for the ejb based business layer could look like are welcome?

Regars,
Markus