If we inject a SessionScoped bean into a Stateless bean, what happens if there is no HTTP session?

1
votes

Our application consists of web pages that interact with backing beans and Stateless EJB services, but there is also a remote client that interacts with the Stateless EJB services.

Many of the services query the DB and then filter the result set based on the current user/caller (for example, users have permission to view only some record types); that is, they use programmatic rather than declarative security.

On the web side, my intuition would be to store the currently logged-in user in a SessionBean, but I want the Stateless EJB services to filter the result set based on the currently logged-in user so that the filtering also applies during remote client calls. I can inject a SessionBean into a Stateless EJB service, but I think SessionBeans use HTTP sessions, and as there is no HTTP session during a remote client call, I don't see how that could work.

I sense that my approach is wrong, and that I should be retrieving the "Principal" from the container; however, due to our application's development lifecycle, container-managed security is not set-up yet, but I am still tasked to implement the business logic responsible for filtering records now rather than later.

My closely-related questions:

  1. Can a SessionScoped bean be injected into a Stateless EJB knowing that the Statelesss EJB will be invoked by remote clients? What is the value of the SessionScoped bean in that case?
  2. Instead of a SessionScoped bean, should my backing beans and Stateless EJB services be retrieving the Principal from the container?
    • If yes, how can I substitute a mock Principal to work on the business logic until container-managed security is set-up?

p.s. I am new to Java EE.

Technology:

  • Java EE 6
  • GlassFish 3.1.2.2
  • "Backing bean" e.g. javax.enterprise.context.SessionScoped
  • "Stateless EJB services", e.g. javax.ejb.Stateless
  • "remote client"; i.e. some non-web clients invoking the Stateless beans directly (through EJB/RMI)

Update:

More detail on the "remote client". I'm not sure how to word this because I'm new to Java EE, but this "remote client" will not be over HTTP. Another application, let's call it application X, will receive XML messages from clients. I think they authenticate the client using certificates. Application X will transform the XML into POJOs and call my Stateless EJB services directly.

In this case, I think I'm right to say that I should not inject a SessionBean into a Stateless EJB service because there will be no HTTP session when the EJB service is called by Application X. Is my understanding correct?

Thank you for your patience. I am aware of my ignorance in these matters.

1
javajakarta-eearchitectureejbcdi
typically this would result in the injection point being null.him

1 Answers

5
votes

You are not fully clear with your questions. Your question let me assume a lot. So you should break your questions down and provide more details to your issue. First of all you should mention which Java EE version you are using. Anyway here my details with some assumptions to your context.

Assuming you are talking about following Backing beans: http://docs.oracle.com/javaee/5/tutorial/doc/bnaqm.html

"Stateless beans" == Stateless session beans : http://docs.oracle.com/javaee/6/tutorial/doc/gipjg.html#gipin

SessionScoped beans : http://docs.oracle.com/javaee/6/tutorial/doc/gjbbk.html

"remote client interaction": http://docs.oracle.com/javaee/6/tutorial/doc/gipjf.html#girfl

In the case of the major question, you should keep in mind to separate the Http session from your Stateful session bean: Stateful Session Bean and HTTP Session

So if you try to couple Http Session with a Stateful session bean you have to provide the http session details into a area where both http session and stateful session bean can access the data and also hold a reference to it.

This assumes also, that your remote EJB service will not create a http session first. So you will not have a valid reference to a HTTP session via remote EJBs.

If you are using a HTTP based "remote client interaction", why are you not creating a http session on the first request?

HttpServletRequest.getSession(true)

will ensure what you will always get a valid session

If you are using some other HTTP bases frameworks like jax-rs there are also options to get a http session there.

Update 1

Can a SessionScoped bean be injected into a Stateless EJB knowing that the Statelesss EJB will be invoked by remote clients? What is the value of the SessionScoped bean in that case?

You can use the backing beans as POJOs in your EJBs, but not as http session scoped beans. If you need them from remote EJB you have to initialize them first, before using. Means, the have no value on remote EJB calls.

Instead of a SessionScoped bean, should my backing beans and Stateless EJB services be retrieving the Principal from the container?

Also here the question is not fully clear. You can configure your container (glassfish) to use have manual user, roles and realms. So this is your local mock for the Security and you can retrieve the Principal from the container. http://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html#bnbxs

Independently: I would recommend you to read the Oracle tutorial about Java EE. It is pretty good. Taking some dollars I would recommend Java EE 7 Essentials