Since Session object not used in EJB,How we track the user to serve?Thanx in Advance.
You want a stateful session bean. Such beans allow you to hold state over an extended period within an EJB call and across multiple EJB calls.
You can't use ThreadLocal because a single thread won't neccesarily handle the entire EJB call if other EJBs are invoked. And even if there are no callouts to other EJBs it's probably not a good idea...
I guess SESSION is HTTP SESSION.
If you want to track the user, then you could pass user credentials as a value object/data object to the EJB part of your interface methods.
Also, if you define security roles for ejb corresponsing to login user then you could do a routine validation in ejb using 'EJBContext' methods getCallerPrincipal() or isCallerInRole()
this helps ?