On Wed, Aug 20, 2008 at 9:53 AM, Alexander Klimetschek <[EMAIL PROTECTED]>wrote:
> On Wed, Aug 20, 2008 at 2:52 PM, Michael Harris > <[EMAIL PROTECTED]> wrote: > > For our app we wanted each session associated with a user. Our > application > > does not use JAAS; our authentication is handled at the organization > level. > > What do you mean by organization level? I mean that the organization for whom i work handles authentication across multiple applications with a single custom solution. > > > > I got around it by extending the JcrSessionFactory (using spring > modules) > > to associate the User information (we have a lightweight User object with > id > > and role on a threadlocal) and just putting the user name on the simple > > credentials instance that is used to generate the JR session. > > > > Would the "correct" way have been to use JAAS regardless of the fact that > > our authentication is handled by a custom system, or is the solution > > described above acceptable? > > The "correct" way would be to implement a JAAS LoginModule that uses > the User object you already have. Even if it would be always present > (ie. authentication would never fail with Jackrabbit), you still have > proper userid for things like JCR observation. > > Regards, > Alex > > > -- > Alexander Klimetschek > [EMAIL PROTECTED] > -- --------------------- Michael Harris
