When can we hope to see a comprehensive security spec for EJB?
Currently the EJB security model supports authorization level security. Authorization security or access control allows control over which users can invoke what methods on a bean. Access control in EJB is declarative, which simplifies the programming model.
Its possible that authentication security, which validates the identities of users accessing the system, will be defined in EJB 2.0. Its likely that the Java Authentication and Authorization security service will be used, but this is not definite. If this authentication is added to EJB, it will provide a standard and portable model for authenticating (login) of users.
The release date for EJB 2.0 (as of this writing) has not been determined. It seems likely that EJB 2.0 will become final sometime in late 2001 or 2002.