Session Facade

Discussions

EJB design: Session Facade

  1. Session Facade (2 messages)

    Hi,

    For my Struts project I got some questions for the architecture of my project.

    I want to use a Session Facade to use the act as the controller of my EJB's.

    But do you need multiples facades depending on the roles
    of my EJB (most are entity's) or may I use only one facade to invoke my EJB's.

    What's the best design ?

    Thanks for your advice.

    --
    Alexandre Jaquet

    Threaded Messages (2)

  2. Session Facade[ Go to top ]

    I explain more a use case of my problematic.

    When a user login into the application I want for example
    he's been redirect into the student page gathering all
    the information concerning the current student.

    Or if it's a professor the same but he's redirect into
    the professor group page where he can update the information relative in his courses and have a view how
    the student evolve.

    Thanks for your advice.

    --
    Alexandre Jaquet
  3. Session Facade[ Go to top ]

    When you put a security constraint around a struts action, say studentPage.do, then the context will have the principal available from httpServletRequest.getUserPrincipal and can answer the question httpServletRequest.isUserInRole("rolename") given you supply the <security-constraint> in the war deployment descriptor and you have declared the <login-config> and <security-role> as well.

    If the web container and ejb container are in the same server - then (at least with JBoss Jetty / BEA) the principal is delegated to calls in the ejb tier.

    So, with struts, Simply creating a local / remote in the perform method should suffice, and business methods you call will automatically propigate to the ejb tier.

    Beware that if you do not put security constraints around the web components interacting with the ejb tier, that of course nothing may have been authenticated and thus the ejb will not know who is calling it.

    Then you either use container delegated security, ex:
    <assembly-descriptor>
      <security-role>
    <role-name>student</role-name>
    </security-role>
    <method-permission>
    ...

    Or on a per business method you can enforce security by checking the context.isCallerInRole and context.getCallerPrincipal.

    When the web container and ejb container are in different VMs, consult the documentation on how auth info is propigated. Never done that.

    Hope this is enough,
    JS