Nov 12th, 2007, 03:57 PM
I have an application that uses a mixture flash/flex and html for it's front end and uses a spring based java j2ee application for it's data. Xml is streamed between the 2 layers. I need to place some security around the some parts of the site and I have been looking at Acegi security - however due to various issues with load balancers etc, I am limited to not being able to use sessions at all, also I have to make use of an already existing authentication service that uses a dao as the credentials are stored in a database. Whilst I don't think the latter would be a problem, I'm not sure about not being able to use sessions. My question is, can I still use Acegi with out http sessions? Moreover, a user may not be sent to the same JBoss instance with each request - so the setup really does need to be stateless (actually state is maintained by cookies and updating the user log in time on the database). Any advice as to whether Acegi is suitable for this would be appreciated. Alternatively I am thinking of just using a straight forward intercepting filter. Thanks Barry
Nov 12th, 2007, 08:52 PM
You can use acegi without sessions as long as you always send the basic auth header, SAML token, or whatever your credentials are. Just set your session timeout to be really short so the residual data will be regularly cleaned up.
Nov 13th, 2007, 03:38 AM
Thanks, but due to other factors I think Acegi security may not be appropriate on this occasion.