Hi Justin, You're pretty close - you don't pass the username/password along with each remoting invocation. It works just like a normal user account.
For example, you get the Subject, then you call login(AuthenticationToken), and once successful, you continue to use that subject for further invocations. As long as the session id goes along with every remote invocation, the server side can associate the request with the correct user. We have a spring sample application here: https://svn.apache.org/repos/asf/incubator/jsecurity/trunk/samples/spring/ It uses a Java WebStart Swing UI that acts as the remote client, but works in essense like your remote grails app. Check that out and see if that helps. Feel free to ask more questions. Cheers, Les On Thu, May 14, 2009 at 2:54 PM, jtriley <[email protected]> wrote: > > I'm curious if anyone could shed some light on how to do the following: > > I have two grails apps that I've connected via spring's httpinvoker via the > grails remoting plugin. I have jsecurity installed on the remote side with > a > few users/roles. I'd like to create a user for the client grails app to > authenticate with so that I can rest assure that only those apps with the > proper credentials can use the server's remote procedures. > > Basically, anytime my client grails app connects to the remote grails app > via spring's httpinvoker, I'd like for the httpinvoker bean to pass along a > username/password, obtain a session, and then carry that session for future > remote procedure calls (just like in a browser). Otherwise, any > unauthenticated calls to the remote grails app's remote procedures should > fail. > > So, in researching this, it appears that jsecurity has a > org.jsecurity.spring.remoting package that contains the following classes: > > SecureRemoteInvocationExecutor (server side) > SecureRemoteInvocationFactory (client side) > > Looking in at the guts of the remoting plugin I have determined that > org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter is used > on the remote side and > org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean is > used > for the client side. > > Looking at these classes I see that I can set a property > "remoteInvocationExecutor" on the enclosing beans that points to the > classes > in org.jsecurity.spring.remoting > > What I'm confused about at this point is how I pass in the > username/password > from the client-side and I'm also wondering if there's anything to do on > the > server side? > > Of course, I could be totally off with all of this and would certainly > appreciate someone setting me straight on these issues. > > Thanks! > > ~jtriley > -- > View this message in context: > http://n2.nabble.com/integrating-jsecurity-ki-auth-with-spring%27s-httpinvoker-tp2898395p2898395.html > Sent from the JSecurity User mailing list archive at Nabble.com. > >
