EJB.5.5 Session Object Identity

Session objects are intended to be private resources used only by the client that created them. For this reason, session objects, from the client's perspective, appear anonymous. In contrast to entity objects, which expose their identity as a primary key, session objects hide their identity. As a result, the EJBObject.getPrimaryKey() and EJBHome.remove(Object primaryKey) methods result in a java.rmi.RemoteException if called on a session bean. If the EJBMetaData.getPrimaryKeyClass() method is invoked on a EJBMetaData object for a session bean, the method throws the java.lang.RuntimeException .

Since all session objects hide their identity, there is no need to provide a finder for them. The home interface of a session bean must not define any finder methods.

A session object handle can be held beyond the life of a client process by serializing the handle to persistent store. When the handle is later deserialized, the session object it returns will work as long as the session object still exists on the server. (An earlier timeout or server crash may have destroyed the session object.)

The client code must use the javax.rmi.PortableRemoteObject.narrow(...) method to convert the result of the getEJBObject() method invoked on a handle to the remote interface type.

A handle is not a capability, in the security sense, that would automatically grant its holder the right to invoke methods on the object. When a reference to a session object is obtained from a handle, and then a method on the session object is invoked, the container performs the usual access checks based on the caller's principal.