On Wed, Aug 20, 2008 at 2:52 PM, Michael Harris <[EMAIL PROTECTED]> wrote: > For our app we wanted each session associated with a user. Our application > does not use JAAS; our authentication is handled at the organization level.
What do you mean by organization level? > I got around it by extending the JcrSessionFactory (using spring modules) > to associate the User information (we have a lightweight User object with id > and role on a threadlocal) and just putting the user name on the simple > credentials instance that is used to generate the JR session. > > Would the "correct" way have been to use JAAS regardless of the fact that > our authentication is handled by a custom system, or is the solution > described above acceptable? The "correct" way would be to implement a JAAS LoginModule that uses the User object you already have. Even if it would be always present (ie. authentication would never fail with Jackrabbit), you still have proper userid for things like JCR observation. Regards, Alex -- Alexander Klimetschek [EMAIL PROTECTED]
