Hi, I am exploring the possibilities of changing our EJB/J2EE based system to be running on Spring&Acegi&Tomcat as soon as possible. I got easily to the point in which I converted my demo EJB and its client to a Spring framework based servlet and a corresponding client utilising HttpInvokerProxyFactoryBean. The ultimate goal is to have a java CLI client (a former EJB client) that can call methods from a server class residing inside a servlet (a former EJB) + A&A for the server side (and here authorisation is needed at method-level, just like in J2EE); no WebUIs are in the picture.

The first part of the goal is OK, but unfortunately I haven't had time yet to go beyond the first A, so the first question is how to get authentication working properly? I have in my servlet's web.xml these spring/acegi related items:


<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/security.xml
</param-value>
</context-param>

<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>

and in the security.xml these entries:

<beans>

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager ">
<property name="providers">
<list>
<ref local="JAASAuthenticationProvider"/>
</list>
</property>
</bean>

<bean id="JAASAuthenticationProvider" class="org.acegisecurity.providers.jaas.JaasAuthen ticationProvider">
<property name="loginConfig">
<value>/WEB-INF/myJAAS.conf</value>
</property>
<property name="loginContextName">
<value>demoLogin</value>
</property>
<property name="callbackHandlers">
<list>
<bean class="org.acegisecurity.providers.jaas.JaasNameCa llbackHandler"/>
<bean class="org.acegisecurity.providers.jaas.JaasPasswo rdCallbackHandler"/>
</list>
</property>
<property name="authorityGranters">
<list>
<bean class="com.my.own.security.AuthorityGranter"/>
</list>
</property>
</bean>

</beans>

Should this be enough for enabling authentication using my own JAAS modules or am I missing some important entries? Anyway, my servlet does not even start in Tomcat with these configurations and I have not been able to pinpoint the exact cause for the failure. Furthermore, it starts and works OK (however, with no security) if I comment out the above entries in the security.xml. All classes are found properly (at least I do not see any related errors in the logs, but I do see that the acegi classes are at least loaded) - so I am a bit puzzled here. Should this even work? The next question would then be how to configure authorisation most easily, i.e., how to most easily duplicate what ejb-jar.xml is doing for EJBs?

I would very much appreciate advice - and perhaps even clear howtos, if that is not asking too much - on the subject, although I am probably asking the very stupid and basic question (my deep apologies for that). Or is there a good and _simple_ example application showing how to convert a basic CLI client-server system + especially the A&A from the J2EE world to the Spring/Acegi world?

Thanks...