java - Good way to make Authentication and Authorization information available between application layers -

I have a web application that is running on Google App Engine (GAE) for Java app. I am certifying the customer at the highest level, but I would like to provide customer information for my business and data layers without passing the client object through the arguments of every item of the customer.

I am trying to set up a "session" type object using the ThreadLocal I can just say something like this in any function:

  CurrentUser.getRoles ();  

Is this a good way to do or is there something else which is a much more accepted solution?

Thank you!

This will probably work and will be completely convenient, but usually I threadlocal I try to avoid much of the same use cases as can be done by me. Cause:

• You start to depend on the code suddenly on the fact that the built-in container uses different threads for different users. If you start using Container NIO, different types of threads (like green threads which are not mapped on ) on some foreign JVM, then you will be out of luck. / P>

• Threadlocal s forget to clean after using them. So if your server grows in use and a lot of stuff will be kept in 'cache' to one of the users, then you can be out of RAM.

• As a result of cleaning

• Finally, I believe Threadlock s Designed for environments, where there is a full control over the thread in your context, and the use case is far too far.

Unfortunately, there is a lot to know about TAP that it can recommend a viable alternative, sorry about it!