[seam-issues] [JBoss JIRA] (SEAMSECURITY-110) Document that an implementation of the Authenticator interfaces must not be @Stateless

Document that an implementation of the Authenticator interfaces must not be @Stateless -------------------------------------------------------------------------------------- Key: SEAMSECURITY-110 URL: https://issues.jboss.org/browse/SEAMSECURITY-110 Project: Seam Security Issue Type: Feature Request Affects Versions: 3.1.0.Beta3 Reporter: Jozef Hartinger Assignee: Shane Bryzak Priority: Blocker Fix For: 3.1.0.CR1 Document that an implementation of the Authenticator interface *must not* be @Stateless. It is not obvious from the documentation and can cause fatal bug in an application. The bug may not actually be reproducible in a development environment and only manifest itself in production, when the SLSB pool serves different instances for each invocation. Besides a note in the docs, I would suggest that seam-security validates this, e.g.: {noformat} public void validateAuthenticatorImplementation(@Observes ProcessSessionBean<Authenticator> event) { if (SessionBeanType.STATELESS.equals(event.getSessionBeanType())) { event.addDefinitionError(new IllegalStateException("Authenticator " + event.getBean().getClass() + " cannot be a Stateless Session Bean")); } } {noformat}