Oops - sorry - accidentally hit send prematurely. But to continue - I've updated the SecureRemoteInvocationFactory to take into account some other scenarios in which the user might be calling the SessionManager but might not have a session ID yet.
But I think it is still geared a little toward environments that have already established a session on the server. Our original use case is that an application could be launched via Java Web Start, in which case there is already a session established. Naturally this isn't good enough for remote apps that don't launch this way ;) Could you please open a Jira issue so that I can add this functionality for 1.0? Thanks, Les On Sun, Apr 5, 2009 at 12:00 PM, Les Hazlewood <[email protected]>wrote: > Hi Jasper, > > Thanks for the kind words - that's always encouraging. > > And you're right - the system in place today expects a session to be > established already. But there is encouraging news :) I too came across > this same problem and altered the code base (in SVN trunk) to better handle > this scenario. I've updated the SecureRemoteInvocationFactory > > > On Thu, Apr 2, 2009 at 4:17 PM, Jasper Siepkes <[email protected]> wrote: > >> Hi all! >> >> First of all my complements for a job well done with Apache Ki. I've >> recently 'discovered' it and I must say its a pleasure to work with. I >> never really disliked JAAS or anything but Apache Ki just feels less >> constraining. >> >> I do however have a question about Apache Ki (ie. JSecurity 0.90), >> Spring and RMI. I have a Java Swing client which uses Spring to >> communicate via RMI with a server application (which consists out of >> OSGi, Spring DM and Apache Ki). The Server application exposes an >> interface over RMI called CoreService which offers methods secured by, >> you guessed it, Apache Ki :-). The RMI communication part works fine. >> The problem is that I want the client to call the login(String username, >> char[] password) method on the CoreService (on the server) to >> authenticate the session. From what I can tell this is not possible with >> the standard SecureRemoteInvocationFactory in Apache Ki since it expects >> the session to have been established. Calling a remote method over RMI >> without an established session makes the SecureRemoteInvocationFactory >> throw an exception at me because there is no session(id). >> >> The Swing Webstart / Spring example seems to confirm this; The session >> gets established by Spring webflow before the actual Java Swing client >> is (web)started and the session ID is then passed along to the Java >> client. >> >> Am I missing something ? Or is there a (security) reason why this can't >> be done out of the box ? >> >> Regards, >> >> Jasper >> >> >
