Spring Security with EJBs

Question

Since EJB authorization is too limited for my needs I want to use Spring Security together with EJBs. For authentication I want to use Spring Security too. The question is, if I can use the Spring Security context within an EJB.

The scenario:

• user communicates with a servlet
• authentication through Spring Security
• servlet communicates with an EJB
• the EJB may communicate with other EJBs
• security check with an EJB interceptor or directly in the EJB method

Will the security context, usually hold in a thread local object, be propagated through the servlet and ejb layer so that I can use it for security checks?

Answer 1

If you are operating in a cluster, or EJB's on different servers, then each server (of course) will be running it's own thread so propogation will not occur.

If they are all on the same server, then they may, but I think it is vendor dependent, unless you are using local instead of remote interfaces.

Answer 2

You will be able to access the Spring Security context, provided there are no remote calls involved, but you will not be able to directly use any of Spring Security's declarative security features which require proxying of the object.

You could potentially use Spring beans from your servlet layer (implementing the same interfaces as the EJBs, and delegating to them), and apply security to these. This would also allow you to migrate away from EJBs if you wished to do so.

Another alternative would be to consider Spring Security's AspectJ support, which should work with EJBs.