users@javaee-spec.java.net

[javaee-spec users] Re: CDI support in JASPIC

From: Markus Eisele <myfear_at_web.de>
Date: Thu, 31 Jan 2013 06:59:47 +0100

Hi Arjan,

thanks for your feedback! Happy to see you contributing ideas here!
Comments inline:

On 30 January 2013 16:21, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> Injection doesn't work in any case. Using GlassFish 3.1.2.2 it's also not
> possible to lookup the CDI bean manager directly in JNDI using
> "java:comp/BeanManager". Clearly, a SAM doesn't qualify as either a managed
> bean or Java EE component.

Exactly. Whatever security construct you're looking at you will not
succeed here.

> However, using JBoss AS 7.1.3, it's possible to look up
> "java:comp/BeanManager" and retrieve bean references from it.

That might be because of their module system. I personally believe
that it shouldn't be possible at all.
I'm unsure if this could be considered a bug. Have not checked it but
believe that the relevant specs didn't comment on it.

> In GlassFish, it is possible to bootstrap an EJB bean from within a JASPIC
> SAM using the java:global context, inject that bean with the CDI bean
> manager and then within the EJB retrieve a bean reference. Only, in this
> case GlassFish will log a warning: "SEVERE: No valid EE environment for
> injection of [...]" (it will still retrieve the bean though).
>
> What is the intended behavior?

See comment above. It also shouldn't be possible at all.

The idea of jsr-196 is to have "portable" security. Requiring an
application component for a SAM is a no go!
Whatever you have in mind, make sure it stays portable! If you have
something closer to your application you are
free to use one of the application centered approaches (e.g. @WebFilter).

It also might be an idea to look into the
com.sun.appserv.security.AppservRealm and retry it there. But I would
expect to see the same behavior.

> In the larger topic of the alignment of CDI with the rest of the Java EE
> platform, would it be viable to take JASPIC modules into account as well?

All the relevant security APIs didn't had an overhaul in some years
and naturally didn't catch up with the platform.
Looking at them, I would highly appreciate a more convenient and
developer friendly approach of implementing the required artifacts.
That might include the fact that they could facilitate CDI and even
JPA but in a space completely separated from the deployed
applications.

- Markus