On 2 questions I would like to consult you.
Background: I have written a test, Java EE application and added declarative security. The application is deployed on Glassfish 3.1. For unit testing I used JUnit with the embedded container for all beans with local interface. For the entry point of the appliaction, the SessionFacde bean, which has the only remote interface, I wrote a simple client which acquires reference to the SessionFace bean. Security annotations I applied for the SessionFacade bean only.
(Question 1: What is the recommended unit testing strategy with security? Is it all right if I utilize a simple application client for the sessionFacade? (The other (local) beans are not affected as no security annotations are applied there.))
Question 2: How should I access the SessionFacde form the appliaction client? I would really appriciate if you could copy here some code samples for the application-client.xml and acquiring a reference to the JNDI service. This would spare me a lot of time. The question is similar to the one under Java EE 6 Application Client login but I found an explanation (http://docs.oracle.com/cd/E18930_01/html/821-2418/beacm.html) that it is not really recommended as it loads the burden of security back to the developer instead of the framework. See the below text:
"[...]Programmatic login allows the application developer to bypass the GlassFish Server-supported authentication mechanisms and feed authentication data directly to the security service. While flexible, this capability should not be used without some understanding of security issues.
Since this mechanism bypasses the container-managed authentication process and sequence, the application developer must be very careful in making sure that authentication is established before accessing any restricted resources or methods. It is also the application developer’s responsibility to verify the status of the login attempt and to alter the behavior of the application accordingly.
The programmatic login state does not necessarily persist in sessions or participate in single sign-on.[...]"
Thank you that you have read it so far. Kind regards, Tamas
Remark: As there has been no response since I wrote the original post, I would say it would be enough to answer the second question. It would help me to go on. Thanks, Tamas