Hi all, I'm adding a (for a lack of a better name) a DelegatingWebSecurityManager that plays a part in some enterprise environments where the web tier and business-logic tier do not reside in the same virtual machine (crappy architecture, I know, but sometimes it is forced upon you by ignorant network/security admins and you have no choice. I'm not bitter about this. Not one bit. I'm just saying.).
This implementation performs the necessary Web/Http behavior (dealing with requests and cookies and such), but delegates all Authenticator, Authorizer, and SessionManager method invocations to a SecurityManager delegate instance. Usually this delegate instance is a remoting proxy to the 'central' or 'master' SecurityManager that resides somewhere else and performs the actual work. I've been using it for the last 4 months in a large production app with success. It is useful in many government and financial environments that have these network restrictions. Any preferences on where this should reside in the web module? For now I am committing it to the 'org.apache.shiro.web' package where the existing DefaultWebSecurityManager is. I thought about a 'remoting' sub package, but that didn't make much sense to me since the concept of delegating to another component does not require any knowledge/use of any remoting APIs (even though in practice it would be used mostly in remote environments, but could be useful in test cases too). If anyone feels strongly about another location or another name, please feel free to chime in. - Les
