We use a "in house" security provider, too, but I found it quite easy to
adapt acegi.. implementing my own UserDetailService and PasswordEncoder
did they job.
So, maybe if you have a look at the acegi examples/source, and then try
to implement the interfaces
org.acegisecurity.userdetails.UserDetailsService
org.acegisecurity.providers.encoding.PasswordEncoder
so that they communicate with your in house solution, and then wire
everything up in the spring config, you're done...
For integration fo acegi search the myfaces wiki, jsf-spring project on
sourceforge, or even the spring documentation itself... there are lots
of out of the box working examples out there...
hth,
Tom
bansi wrote:
Thanks Everyone for providing valuable suggestions
We usein-house Security system which gives employee Id and Roles on
successful authentication. We need to
store employee Id &Roles into some kind of object maybe session so that it
can be accessible by any Spring bean in the business layer.
David i totally agree with you that i should rethink my design . Not sure
whats the best practice to pass user info viz. user Id , user Roles ,
privileges etc from JSF to Spring.
Are you refering to POJO instead of session object for wrapping userId and
roles. Thats a good idea even i thought about BUT users will have different
session objects with their user Info in it and also we want the Lifecycle of
the object to be under session i.e. as the session terminates the object
should be destroyed
Regards
Bansi
Nebinger, David wrote:
Besides the spring integration, maybe you should rethink your
design ?
Use somthing like acegi security to perform authentification
and authorization instead of passing Session objects to the
business layer...
At least consider wrapping the info you need (user id and
roles) in an object, instead of passing the session object...
As far as I remember (after quite some time using frameworks
I guess I've lost some basics :-)) there's no need to store
the user's details in the session ? Everything should be
there, at least if you use container (or tomcat) based auth ?
Yes, Acegi uses a security context holder which is basically bound to
the thread. A filter on the incoming request ensures the thread has the
appropriate user. It is then available throughout your application,
including the spring beans.
