Hi Jasper, Thanks for the kind words - that's always encouraging.
And you're right - the system in place today expects a session to be established already. But there is encouraging news :) I too came across this same problem and altered the code base (in SVN trunk) to better handle this scenario. I've updated the SecureRemoteInvocationFactory On Thu, Apr 2, 2009 at 4:17 PM, Jasper Siepkes <[email protected]> wrote: > Hi all! > > First of all my complements for a job well done with Apache Ki. I've > recently 'discovered' it and I must say its a pleasure to work with. I > never really disliked JAAS or anything but Apache Ki just feels less > constraining. > > I do however have a question about Apache Ki (ie. JSecurity 0.90), > Spring and RMI. I have a Java Swing client which uses Spring to > communicate via RMI with a server application (which consists out of > OSGi, Spring DM and Apache Ki). The Server application exposes an > interface over RMI called CoreService which offers methods secured by, > you guessed it, Apache Ki :-). The RMI communication part works fine. > The problem is that I want the client to call the login(String username, > char[] password) method on the CoreService (on the server) to > authenticate the session. From what I can tell this is not possible with > the standard SecureRemoteInvocationFactory in Apache Ki since it expects > the session to have been established. Calling a remote method over RMI > without an established session makes the SecureRemoteInvocationFactory > throw an exception at me because there is no session(id). > > The Swing Webstart / Spring example seems to confirm this; The session > gets established by Spring webflow before the actual Java Swing client > is (web)started and the session ID is then passed along to the Java > client. > > Am I missing something ? Or is there a (security) reason why this can't > be done out of the box ? > > Regards, > > Jasper > >
