Thanks Jasper, it is much appreciated! - Les
On Sun, Apr 5, 2009 at 1:15 PM, Jasper Siepkes <[email protected]> wrote: > Hi Les, > > Thanks for your response. I created > https://issues.apache.org/jira/browse/KI-76 > > I'll checkout the changes you mentioned and give them a shot. If some > ideas popup in my head regarding the SecureRemoteInvocationFactory I'll > submit them with patches to the mailinglist. > > Regards, > > Jasper > > On Sun, 2009-04-05 at 12:04 -0400, Les Hazlewood wrote: > > Oops - sorry - accidentally hit send prematurely. > > > > But to continue - I've updated the SecureRemoteInvocationFactory to > > take into account some other scenarios in which the user might be > > calling the SessionManager but might not have a session ID yet. > > > > But I think it is still geared a little toward environments that have > > already established a session on the server. Our original use case is > > that an application could be launched via Java Web Start, in which > > case there is already a session established. Naturally this isn't > > good enough for remote apps that don't launch this way ;) > > > > Could you please open a Jira issue so that I can add this > > functionality for 1.0? > > > > Thanks, > > > > Les > > > > On Sun, Apr 5, 2009 at 12:00 PM, Les Hazlewood > > <[email protected]> wrote: > > Hi Jasper, > > > > Thanks for the kind words - that's always encouraging. > > > > And you're right - the system in place today expects a session > > to be established already. But there is encouraging news :) > > I too came across this same problem and altered the code base > > (in SVN trunk) to better handle this scenario. I've updated > > the SecureRemoteInvocationFactory > > > > > > > > On Thu, Apr 2, 2009 at 4:17 PM, Jasper Siepkes > > <[email protected]> wrote: > > Hi all! > > > > First of all my complements for a job well done with > > Apache Ki. I've > > recently 'discovered' it and I must say its a pleasure > > to work with. I > > never really disliked JAAS or anything but Apache Ki > > just feels less > > constraining. > > > > I do however have a question about Apache Ki (ie. > > JSecurity 0.90), > > Spring and RMI. I have a Java Swing client which uses > > Spring to > > communicate via RMI with a server application (which > > consists out of > > OSGi, Spring DM and Apache Ki). The Server application > > exposes an > > interface over RMI called CoreService which offers > > methods secured by, > > you guessed it, Apache Ki :-). The RMI communication > > part works fine. > > The problem is that I want the client to call the > > login(String username, > > char[] password) method on the CoreService (on the > > server) to > > authenticate the session. From what I can tell this is > > not possible with > > the standard SecureRemoteInvocationFactory in Apache > > Ki since it expects > > the session to have been established. Calling a remote > > method over RMI > > without an established session makes the > > SecureRemoteInvocationFactory > > throw an exception at me because there is no > > session(id). > > > > The Swing Webstart / Spring example seems to confirm > > this; The session > > gets established by Spring webflow before the actual > > Java Swing client > > is (web)started and the session ID is then passed > > along to the Java > > client. > > > > Am I missing something ? Or is there a (security) > > reason why this can't > > be done out of the box ? > > > > Regards, > > > > Jasper > > > > > > > > > >
