I had thought of this approach, as it would require no modification to their servlet code (as far as authentication is concerned, and barring that they don't throw an exception or otherwise halt things if you're not using basic auth) - but one assumption that must hold true for this to work is that Jackrabbit must call LoginModule from the same thread in which the Acegi servlet filters authenticated the user, as the ContextHolder holds Authentications per-thread. If not, you either have to pass something from the servlet to Jackrabbit or you have to expose the Authentication from the ContextHolder of the target thread.
in fact, i do have to pass something to jackrabbit: an implementation of javax.jcr.Credentials.
so, my servlet can simply find the Authentication in the ContextHolder and wrap it with a Credentials implementation (call it AuthenticationCredentials) from which my LoginModule can extract it. gets around any threading issues altogether.
this does require a small servlet change, but that's ok, cos i had to do that anyway to override jcr-server's default credentials extraction anyway.
thanks for the discussion guys. this is fun stuff :)
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Acegiwebdav-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegiwebdav-developer
