I want to use Spring Security with EJB 3.1. It was told me that storing the SecurityContext with ThreadLocal doesn't work in clustered environments. What is the best way to hold a Spring SecurityContext in a clustered EJB environment?
My ideas:
A)
- replace the
SecurityContextHolderwith a singleton EJB and hold theSecurityContextfor each user in aHashMap - access the
SecurityContextfor a specific user through thesecurityContextHolderEJB.getContext("userX")method
Singleton Session Beans are not cluster aware so each node in the cluster would have it's own instance. I don't know if this approach would work due to this limitation.
B)
- implement a SecurityContextHolderStrategy based on a singleton EJB
C)
- Another vague idea is to use JSR 299 Contexts to hold the SecurityContext, but I have no idea how to do it or even if it would work in principle. Any ideas?
Would this work? Better ideas?