Hi Mark
[EMAIL PROTECTED] wrote:
I just subscribed you to the list administratively. If you would like to be unsubscribed and have difficulty, just let me know and I can remove your address.Ben,
I have been a Spring user for sometime now and am starting to investigate
Acegi Security. I am having trouble replying to the developer-list
subscription so I thought that I would email you directly if you do not
mind this once. My reply to the subscription keeps bouncing back.
I have read the documentation but have a couple of questions. OurFor web services I always encourage use of BASIC authentication which presents the username/password with each web services request. Acegi Security's DaoAuthenticationProvider includes caching, so it's not a problem "re-authenticating" on each request.
application will be web based using Macromedia Flex. Flex creates Flash
clients for the browser. The method that I will be communicating with the
application server (Tomcat) will be with AMF (Flash remoting) and not the
HTTP protocol. I am thinking that I will need to pass a token back and
forth so that I do not have to reauthenticate for each request. It there
a way that I can do this with some kind of ContextHolder object? I can
maintain state in the Flash client with ActionScript objects that get
translated to Java objects. Am I bound to HTTP Session Auth or basic auth
as decribed in section 1.8.4 of the doco?
Passing a Context from the client to the server containing an Authentication object would work, but it would probably prove quite difficult to do. I briefly investigated this for Spring's included remoting protocols (SOAP, Burlap, Hessian) but quickly found they were unwilling to deliver an additional object that is not part of the method signature being called. If this sort of issue is easily resolved with AMF, it's perhaps a more elegant way of doing it. You could simply pass a Context to the server, write some object that unwraps the context from the web services request and places it on the server's ContextHolder, and then proceed with the request. Still, it would surprise me if AMF doesn't offer any BASIC authentication approach for simple protection of remote web services, which is going to save you from writing _any_ code.
Furthermore, I also see that you can allow a user to run_as someone else. I think that this would be useful for unit testing. Do I just need toRun-as replacement is designed so a user can call ObjectA which in turn needs to access say a ManagerObject. As the user is not granted authorities to call ManagerObject directly, ObjectA uses a run-as replacement to obtain additional granted authorities required to call ManagerObject.
configure a user to have RUN_AS_MANAGER privileges to take advantage of
the RunAsManagerImpl class. This is a little fuzzy to me.
Unit testing is best achieved using the TestingAuthenticationProvder. It accepts a TestingAuthenticationToken, which you populate with granted authorities you want your test case to hold. Then you call your code and Acegi Security can happily live in the server stack that executes the test. You can also ensure more complex situations such as run-as replacement are handled properly.
HTH
Ben
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
