> Besides the spring integration, maybe you should rethink your > design ? > Use somthing like acegi security to perform authentification > and authorization instead of passing Session objects to the > business layer... > At least consider wrapping the info you need (user id and > roles) in an object, instead of passing the session object... > As far as I remember (after quite some time using frameworks > I guess I've lost some basics :-)) there's no need to store > the user's details in the session ? Everything should be > there, at least if you use container (or tomcat) based auth ?
Yes, Acegi uses a security context holder which is basically bound to the thread. A filter on the incoming request ensures the thread has the appropriate user. It is then available throughout your application, including the spring beans.
