Does the EJB specification allow for such products as the Java Cryptography Architecture (JCA) and other security APIs, to be used from within session beans? What are the potential issues that would need to be addressed from doing this?

Ron Kurr

I don't believe the specification talks about using any of the crypto APIs or frameworks. The spec talks about restricting access to particular methods on a bean and that is handled by the container using information encoded in the deployment descriptor. If you are just talking calling some crypto APIs, I can't think of anything that would prevent you from doing cryto work from inside a session bean. Once you are inside a bean, you can pretty do whatever you want, with just a few exceptions.