So the most symmetrical solution would be to pass the ServerSession to the PasswordAuthenticator and to have a SessionAware on the ShellFactory. Passing around the Identity would be done using session attributes. Not touching the PasswordAuthenticator interface but letting the UserAuthPassword store the Identity in the ServerSession would be less invasive, but would force the Identity concept onto everybody. For me the Identity concept could be a little stronger in the model, but it seems no one else needs it. I'll work on the symmetrical solution and propose it as a patch when finished. Thanks
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
