We recently upgraded our application to Spring 3.0 and Spring Security 3.0. Apart of the additional work we want to do is to separate the backend from the front end for various reasons. We plan to use Spring's transparent RMI solution for exposing our services to our front end. However, the way things are designed today both the front and back end's rely on the spring SecurityContext to protect services etc from unauthorized users. From what I understand, the SecurityContext is per JVM? If that is correct, how can I effectively share the context with the backend? I would assume passing in the authentication token on RMI calls that require it?
+2
A:
Having previously worked with Spring's HTTP invoker remoting, I can say that there's built-in support for passing Spring security tokens. I would assume that Spring's RMI solution also has this feature, but you'd need to dig around in Spring's RMI classes/javadoc to confirm this.
On the client side, you'll need the ContextPropagatingRemoteInvocationFactory
class, which will automatically include a Spring security context on the remote invocation.
hbunny
2010-02-26 14:48:35
You are right. I did a search in the spring reference manual and found where they say there isn't direct support, but the hook exist. So I dug through the java docs and found spring security's ContextPropagatingRemoteInvocation which allows the client calls to pass the authentication object on remote calls. Sweet, thanks!
predhme
2010-02-26 14:51:24
so vote up his answer, predhme
Hans Westerbeek
2010-02-27 10:18:46