Spring Security in a distributed application
We recently upgraded our application to Spring 3.0 and Spring Security 3.0. Apart of the additional work we want to do is to separate the backend from the front end for various reasons. We plan to use Spring's transparent RMI solution for exposing our services to our front end. However, the 开发者_如何学JAVAway things are designed today both the front and back end's rely on the spring SecurityContext to protect services etc from unauthorized users. From what I understand, the SecurityContext is per JVM? If that is correct, how can I effectively share the context with the backend? I would assume passing in the authentication token on RMI calls that require it?
Having previously worked with Spring's HTTP invoker remoting, I can say that there's built-in support for passing Spring security tokens. I would assume that Spring's RMI solution also has this feature, but you'd need to dig around in Spring's RMI classes/javadoc to confirm this.
On the client side, you'll need the ContextPropagatingRemoteInvocationFactory
class, which will automatically include a Spring security context on the remote invocation.
精彩评论