Dave wrote:
What I meant by "beyond Acegi" is that Roller identifies users by using our
User pojo. Acegi doesn't know about our User pojo, it uses it's own classes
and objects. Somewhere in between there is a translation that happens,
which is the RollerSession. We basically take request.getUserPrincipal()
and translate that into a Roller User pojo so the rest of the Roller code
can know about the user.
This is an extremely important part of the authentication process. And
truth be told I think we need to make some improvements here because we are
not entirely consistent in how this works.
I'm curious. Where is the inconsistency?
The inconsistency I am talking about is that we don't use the
RollerSession as "the" way to lookup the authentic client in all
situations. I went through this when I implemented comment
authentication and the main place we need to fix this is in the
ParsedRequest object, which goes directly to the UserManager instead of
using the RollerSession.
It's a really simple and easy change, but important.
I'm basically done with my comment authentication work, so I'll find a
little time this week and write up how I did it, what changes were
necessary, and make it into a proposal to see if folks are interested in
it for 4.1.
It actually should fit into 4.1 even better than the 4.0 code which I
worked from.
-- Allen
- Dave
