Hi Les, I've checkout the changes to the SecureRemoteInvocationFactory and spotted a potential issue (At least I think its an issue, I could be wrong since I'm still an Apache Ki noob :-) ). There is a call made to the method SecurityUtils.getSubject() but this method can fail hard with an exception if there is no SecuritManager present (Like in the webstart spring example.). When the method fails the fallback statement System.getProperty(SESSION_ID_SYSTEM_PROPERTY_NAME) never gets executed.
Regards, Jasper On Sun, 5 Apr 2009 15:37:16 -0400, Les Hazlewood <[email protected]> wrote: > Thanks Jasper, it is much appreciated! > > - Les > > On Sun, Apr 5, 2009 at 1:15 PM, Jasper Siepkes <[email protected]> wrote: > >> Hi Les, >> >> Thanks for your response. I created >> https://issues.apache.org/jira/browse/KI-76 >> >> I'll checkout the changes you mentioned and give them a shot. If some >> ideas popup in my head regarding the SecureRemoteInvocationFactory I'll >> submit them with patches to the mailinglist. >> >> Regards, >> >> Jasper >> >> On Sun, 2009-04-05 at 12:04 -0400, Les Hazlewood wrote: >> > Oops - sorry - accidentally hit send prematurely. >> > >> > But to continue - I've updated the SecureRemoteInvocationFactory to >> > take into account some other scenarios in which the user might be >> > calling the SessionManager but might not have a session ID yet. >> > >> > But I think it is still geared a little toward environments that have >> > already established a session on the server. Our original use case is >> > that an application could be launched via Java Web Start, in which >> > case there is already a session established. Naturally this isn't >> > good enough for remote apps that don't launch this way ;) >> > >> > Could you please open a Jira issue so that I can add this >> > functionality for 1.0? >> > >> > Thanks, >> > >> > Les >> > >> > On Sun, Apr 5, 2009 at 12:00 PM, Les Hazlewood >> > <[email protected]> wrote: >> > Hi Jasper, >> > >> > Thanks for the kind words - that's always encouraging. >> > >> > And you're right - the system in place today expects a session >> > to be established already. But there is encouraging news :) >> > I too came across this same problem and altered the code base >> > (in SVN trunk) to better handle this scenario. I've updated >> > the SecureRemoteInvocationFactory >> > >> > >> > >> > On Thu, Apr 2, 2009 at 4:17 PM, Jasper Siepkes >> > <[email protected]> wrote: >> > Hi all! >> > >> > First of all my complements for a job well done with >> > Apache Ki. I've >> > recently 'discovered' it and I must say its a pleasure >> > to work with. I >> > never really disliked JAAS or anything but Apache Ki >> > just feels less >> > constraining. >> > >> > I do however have a question about Apache Ki (ie. >> > JSecurity 0.90), >> > Spring and RMI. I have a Java Swing client which uses >> > Spring to >> > communicate via RMI with a server application (which >> > consists out of >> > OSGi, Spring DM and Apache Ki). The Server application >> > exposes an >> > interface over RMI called CoreService which offers >> > methods secured by, >> > you guessed it, Apache Ki :-). The RMI communication >> > part works fine. >> > The problem is that I want the client to call the >> > login(String username, >> > char[] password) method on the CoreService (on the >> > server) to >> > authenticate the session. From what I can tell this is >> > not possible with >> > the standard SecureRemoteInvocationFactory in Apache >> > Ki since it expects >> > the session to have been established. Calling a remote >> > method over RMI >> > without an established session makes the >> > SecureRemoteInvocationFactory >> > throw an exception at me because there is no >> > session(id). >> > >> > The Swing Webstart / Spring example seems to confirm >> > this; The session >> > gets established by Spring webflow before the actual >> > Java Swing client >> > is (web)started and the session ID is then passed >> > along to the Java >> > client. >> > >> > Am I missing something ? Or is there a (security) >> > reason why this can't >> > be done out of the box ? >> > >> > Regards, >> > >> > Jasper >> > >> > >> > >> > >> >> >
