I'm trying to determine if Acegi would be useful to us given our security environment. We use SiteMinder to handle all of our authentication requirements. Since SiteMinder runs as an Apache module, the user has already been authenticated by the time he or she would hit our application. In the past we would simply retrieve the user's username out of the request header with request.getHeader("sm_user") and then look up the user's details from the database to determine the user's capabilities within the application.
In an effort to centralize the user/group/role functionality required by virtually every one of our applications, we are in the process of developing a centralized "user management" application. This application will store all user data, the various applications to which the user has access, and the rights a user has within a particular application. An application in need of user management services would make a TBD remote call to the user management app to look up the user details and authorities.
Since our authentication needs are already handled by SiteMinder, is it still practical for us to look to Acegi to help with our authorization needs? I'm impressed by Acegi's architecure and capabilities, but I'm not quite clear how we would approach using it in our environment. Based on some earlier posts on this board (http://forum.springframework.org/vie...ght=siteminder) it appears that we would begin by creating a custom implementation of the HttpSessionContextIntegrationFilter to populate the ContextHolder with a Context object containing the sm_user header wrapped in an Authentication object. Does this sound correct so far? Are there other custom classes we would need to write given our environment? Is the fact that we'll be issuing remote calls to our user management application complicate matters?
I would appreciate any advice on this topic.