CDI and EJB, security issues?

Question

I am reviewing my code from since I picked up on JSF. One of the most complex issues has come up once again. The decision between CDI and EJB.

I am using three layers and I wonder which type of annotation to use on each of them: - Backing beans (the Controller as defined in MVC) - The service layer - DAO's

My backing beans are using CDI, as long as I don't need anything from EJB. But I am stuck on those other two. I remember reading about using EJB beans because of the pooling functionalities, which would prevent massive loads of requests (or attacks, if you will). So in short, is there ANY reason to use EJB (Stateless, Stateful, LocalBean et cetera), considering security or anything else (excluded ViewScoped)?

Thanks in advance.

Answer 1

You're making a conceptual mistake here. CDI is absolutely not an alternative to EJB. CDI in its default trim doesn't offer transaction management at all. CDI is a bean management and dependency injection API, not a service layer API. In order to manage transactions in CDI, you've to add another API along with a bunch of another annotations.

CDI can replace for example JSF managed bean annotations, but definitely not EJB annotations.

So there's no means of a valid "CDI vs EJB" question. Both have their own completely distinct purposes. Note that you can perfectly inject EJB based service classes in CDI based managed bean classes.

As to security, it's not clear why you mentioned that part in the title and the tags, but the decision between CDI and EJB has nothing to do with security (simply because there's no means of a valid "CDI vs EJB" question in first place).

Answer 2

Yes when you require out-of-box support for transactions, concurrency, pooling etc.