Hi all! First of all my complements for a job well done with Apache Ki. I've recently 'discovered' it and I must say its a pleasure to work with. I never really disliked JAAS or anything but Apache Ki just feels less constraining.
I do however have a question about Apache Ki (ie. JSecurity 0.90), Spring and RMI. I have a Java Swing client which uses Spring to communicate via RMI with a server application (which consists out of OSGi, Spring DM and Apache Ki). The Server application exposes an interface over RMI called CoreService which offers methods secured by, you guessed it, Apache Ki :-). The RMI communication part works fine. The problem is that I want the client to call the login(String username, char[] password) method on the CoreService (on the server) to authenticate the session. From what I can tell this is not possible with the standard SecureRemoteInvocationFactory in Apache Ki since it expects the session to have been established. Calling a remote method over RMI without an established session makes the SecureRemoteInvocationFactory throw an exception at me because there is no session(id). The Swing Webstart / Spring example seems to confirm this; The session gets established by Spring webflow before the actual Java Swing client is (web)started and the session ID is then passed along to the Java client. Am I missing something ? Or is there a (security) reason why this can't be done out of the box ? Regards, Jasper
