Amad Fida wrote:
Ben,As long as an Authentication is never returned unless the correct credentials for that Authentication are firstly presented, it should be fine. I presume you're doing a ((UserDetails)returnedAuthentication.getPrincipal()).getUsername() and setting the AuthenticationSimpleHttpInvokerRequestExecutor with the resulting username and password.
I am using HttpInvoker and Ihave implemented my own
RemoteAuthenticationProvider and
RemoteAuthenticationManager, and I am just returning
Authentication all the way back to client. Principal
is my custom User which wrappes my domain object
which is basically a user with some its details, like
email, last name , first etc. It seems to work fine. Would there be a problem with
this approach?
Amad
All the net.sf.acegisecurity.provider.rcp package does is check a username/password is correct, and return some details helpful to the client (typically GrantedAuthority[]s but conceivably whatever you like). The real work of security happens via the BASIC authentication headers on remoting requests, which Acegi Security unwraps at invocation time and authorizes on the server side.
Ben
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
