Hi

I need some help from an EJB security guru. I've written a stateless
session
bean which gets some data from a database and I'm using a servlet as the
client of the EJB. I'm also using an applet as a client of the servlet.
I'm
using session tracking to maintain the session between the applet and the
servlet.

Within the service method of the servlet (the first time round) I create
the
initial context with my username and password in it and then do the JNDI
lookup on the EJB using the initial context. I then get the home interface
pointer and create the bean in the usual way. I cache the resulting remote
interface pointer in the servlet class.

I then use the remote interface pointer to call the first method on my
stateless session bean which authenticates my username and password and
correctly calls the method.

The next time I call the service method on the servlet, I use the cached
remote interface pointer to the EJB to call the next method on it.
Although
the pointer is obviously valid because the method gets called correctly,
the
EJB throws a security exception because it's forgotten who I am and
defaults
back to it's default username of "guest" (I'm using WebLogic as the EJB
server).

As I understand it, it's valid for an EJB client to cache the remote
interface pointer (even to a stateless session bean) and be able to use it
a
second time. I haven't read anywhere that I need to do a JNDI lookup on
the
bean again. I'm rather confused because the bean is stateless and can
therefore have multiple clients each with different authentication info,
so
how does it retain the info about each client ?

I'd appreciate any info from anyone who's implemented method level
security
on EJB's and how it works with stateless session beans in particular.

Thanks

Sandy Thorne
Intec Telecom Systems