I've been thinking about ways to provide authentication and access privileges to my DAO classes. I would like to put all the authentication and access privileges logic inside the DAO so I can publish the DAO as a Web Service or a Session Bean.
After thinking a lot about it I found two possible solutions.
The first one is to provide a "login" method inside my DAO that returns a User object with the user information. Then, for all my DAO methods I pass the User object so it can check for access privileges.
The advantage of this solution is that my DAO is stateless and provides better scalability for Web Services and Session Beans.
The disadvantage is that it is not very secure because I can instantiate a User object with the user information and pass it to the methods.
The second solution is to provide a login method that stores the user information inside the DAO. The DAO methods will use this object to check for access privileges.
The advantage of this solution is that my DAO is secure.
The disadvantage is that my DAO is statefull and will not scale as well as a stateless solution.
Has anybody got a conclusion for this problem?. Any other ideas or suggestions?.
Why would you directly publish your DAOs as WebServices, or as anything, for that matter?
It's better to publish a wrapper, and add the authorization logic there. Check the Session Facade pattern.