Hello We have a web application, using ACEGI-Security (new known as Spring Security). Lately we added MyFaces Orchestra form handling conversation scope, providing different application states in different browser windows on the same client. It works great, but there is some issue according security.
When ACEGI-Security is used with org.acegisecurity.context.HttpSessionContextIntegrationFilter, authenticated principles are stored in the session context, using a SecurityContext instance. When working with conversation scope, we would like to authenticate users for one conversation only, not for the whole session. We tried this, implementing a filter using a conversation scope bean to store the SecurityContext in. So far it did not work, because of the sequence, the Filters are called. Changing this sequence gets pretty messy because security has to be applied for all ressources of the application, and the conversation scope is only part of the javax.faces.webapp.FacesServlet. So the good way to goo, is to ensure security first, before calling any other servlet/filter, isn't it? Is there a proper way to integrate spring security on an conversation scope, provided by orchestra, so that one can login for each conversation separately? best regards Matthias Gerber
