Hi Les, Thanks for your response. I created https://issues.apache.org/jira/browse/KI-76
I'll checkout the changes you mentioned and give them a shot. If some ideas popup in my head regarding the SecureRemoteInvocationFactory I'll submit them with patches to the mailinglist. Regards, Jasper On Sun, 2009-04-05 at 12:04 -0400, Les Hazlewood wrote: > Oops - sorry - accidentally hit send prematurely. > > But to continue - I've updated the SecureRemoteInvocationFactory to > take into account some other scenarios in which the user might be > calling the SessionManager but might not have a session ID yet. > > But I think it is still geared a little toward environments that have > already established a session on the server. Our original use case is > that an application could be launched via Java Web Start, in which > case there is already a session established. Naturally this isn't > good enough for remote apps that don't launch this way ;) > > Could you please open a Jira issue so that I can add this > functionality for 1.0? > > Thanks, > > Les > > On Sun, Apr 5, 2009 at 12:00 PM, Les Hazlewood > <[email protected]> wrote: > Hi Jasper, > > Thanks for the kind words - that's always encouraging. > > And you're right - the system in place today expects a session > to be established already. But there is encouraging news :) > I too came across this same problem and altered the code base > (in SVN trunk) to better handle this scenario. I've updated > the SecureRemoteInvocationFactory > > > > On Thu, Apr 2, 2009 at 4:17 PM, Jasper Siepkes > <[email protected]> wrote: > Hi all! > > First of all my complements for a job well done with > Apache Ki. I've > recently 'discovered' it and I must say its a pleasure > to work with. I > never really disliked JAAS or anything but Apache Ki > just feels less > constraining. > > I do however have a question about Apache Ki (ie. > JSecurity 0.90), > Spring and RMI. I have a Java Swing client which uses > Spring to > communicate via RMI with a server application (which > consists out of > OSGi, Spring DM and Apache Ki). The Server application > exposes an > interface over RMI called CoreService which offers > methods secured by, > you guessed it, Apache Ki :-). The RMI communication > part works fine. > The problem is that I want the client to call the > login(String username, > char[] password) method on the CoreService (on the > server) to > authenticate the session. From what I can tell this is > not possible with > the standard SecureRemoteInvocationFactory in Apache > Ki since it expects > the session to have been established. Calling a remote > method over RMI > without an established session makes the > SecureRemoteInvocationFactory > throw an exception at me because there is no > session(id). > > The Swing Webstart / Spring example seems to confirm > this; The session > gets established by Spring webflow before the actual > Java Swing client > is (web)started and the session ID is then passed > along to the Java > client. > > Am I missing something ? Or is there a (security) > reason why this can't > be done out of the box ? > > Regards, > > Jasper > > > >
